Enable autoescape for `render_template_string`

9 years ago · 99c99c4c16
7 changed files with 41 additions and 5 deletions
--- a/2
+++ b/2
@ -68,6 +68,8 @@ Version 1.0
  handlers (pull request ``#1393``).
 - Allow custom Jinja environment subclasses (pull request ``#1422``).
 - ``flask.g`` now has ``pop()`` and ``setdefault`` methods.
+- Turn on autoescape for ``flask.templating.render_template_string`` by default
+  (pull request ``#1515``).

 Version 0.10.2
 --------------
--- a/docs/templating.rst
+++ b/docs/templating.rst
@ -18,7 +18,10 @@ Jinja Setup
 Unless customized, Jinja2 is configured by Flask as follows:

 -   autoescaping is enabled for all templates ending in ``.html``,
-    ``.htm``, ``.xml`` as well as ``.xhtml``
+    ``.htm``, ``.xml`` as well as ``.xhtml`` when using
+    :func:`~flask.templating.render_template`.
+-   autoescaping is enabled for all strings when using
+    :func:`~flask.templating.render_template_string`.
 -   a template has the ability to opt in/out autoescaping with the
    ``{% autoescape %}`` tag.
 -   Flask inserts a couple of global functions and helpers into the
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@ -37,6 +37,10 @@ Now the inheritance hierarchy takes precedence and handlers for more
 specific exception classes are executed instead of more general ones.
 See :ref:`error-handlers` for specifics.

+The :func:`~flask.templating.render_template_string` function has changed to
+autoescape template variables by default. This better matches the behavior
+of :func:`~flask.templating.render_template`.
+
 .. note::

    There used to be a logic error allowing you to register handlers
--- a/flask/app.py
+++ b/flask/app.py
@ -724,12 +724,12 @@ class Flask(_PackageBoundObject):

    def select_jinja_autoescape(self, filename):
        """Returns ``True`` if autoescaping should be active for the given
-        template name.
+        template name. If no template name is given, returns `True`.

        .. versionadded:: 0.5
        """
        if filename is None:
-            return False
+            return True
        return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))

    def update_template_context(self, context):
--- a/flask/templating.py
+++ b/flask/templating.py
@ -127,7 +127,7 @@ def render_template(template_name_or_list, **context):

 def render_template_string(source, **context):
    """Renders a template from the given template source string
-    with the given context.
+    with the given context. Template variables will be autoescaped.

    :param source: the source code of the template to be
                   rendered
--- a/tests/templates/non_escaping_template.txt
+++ b/tests/templates/non_escaping_template.txt
@ -0,0 +1,8 @@
+{{ text }}
+{{ html }}
+{% autoescape false %}{{ text }}
+{{ html }}{% endautoescape %}
+{% autoescape true %}{{ text }}
+{{ html }}{% endautoescape %}
+{{ text }}
+{{ html }}
--- a/tests/test_templating.py
+++ b/tests/test_templating.py
@ -81,10 +81,29 @@ def test_escaping():
    ]

 def test_no_escaping():
+    text = '<p>Hello World!'
+    app = flask.Flask(__name__)
+    @app.route('/')
+    def index():
+        return flask.render_template('non_escaping_template.txt', text=text,
+                                     html=flask.Markup(text))
+    lines = app.test_client().get('/').data.splitlines()
+    assert lines == [
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'&lt;p&gt;Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!'
+    ]
+
+def test_escaping_without_template_filename():
    app = flask.Flask(__name__)
    with app.test_request_context():
        assert flask.render_template_string(
-            '{{ foo }}', foo='<test>') == '<test>'
+            '{{ foo }}', foo='<test>') == '&lt;test&gt;'
        assert flask.render_template('mail.txt', foo='<test>') == \
            '<test> Mail'