From 99c99c4c16b1327288fd76c44bc8635a1de452bc Mon Sep 17 00:00:00 2001
From: Alan Hamlett <alan.hamlett@gmail.com>
Date: Tue, 30 Jun 2015 11:00:14 -0700
Subject: [PATCH] Enable autoescape for `render_template_string`

---
 CHANGES                                   |  2 ++
 docs/templating.rst                       |  5 ++++-
 docs/upgrading.rst                        |  4 ++++
 flask/app.py                              |  4 ++--
 flask/templating.py                       |  2 +-
 tests/templates/non_escaping_template.txt |  8 ++++++++
 tests/test_templating.py                  | 21 ++++++++++++++++++++-
 7 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 tests/templates/non_escaping_template.txt

diff --git a/CHANGES b/CHANGES
index 8310761f..b33c3795 100644
--- a/CHANGES
+++ b/CHANGES
@@ -68,6 +68,8 @@ Version 1.0
   handlers (pull request ``#1393``).
 - Allow custom Jinja environment subclasses (pull request ``#1422``).
 - ``flask.g`` now has ``pop()`` and ``setdefault`` methods.
+- Turn on autoescape for ``flask.templating.render_template_string`` by default
+  (pull request ``#1515``).
 
 Version 0.10.2
 --------------
diff --git a/docs/templating.rst b/docs/templating.rst
index a8c8d0a9..11d5d48d 100644
--- a/docs/templating.rst
+++ b/docs/templating.rst
@@ -18,7 +18,10 @@ Jinja Setup
 Unless customized, Jinja2 is configured by Flask as follows:
 
 -   autoescaping is enabled for all templates ending in ``.html``,
-    ``.htm``, ``.xml`` as well as ``.xhtml``
+    ``.htm``, ``.xml`` as well as ``.xhtml`` when using
+    :func:`~flask.templating.render_template`.
+-   autoescaping is enabled for all strings when using
+    :func:`~flask.templating.render_template_string`.
 -   a template has the ability to opt in/out autoescaping with the
     ``{% autoescape %}`` tag.
 -   Flask inserts a couple of global functions and helpers into the
diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index b0460b38..fca4d75b 100644
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -37,6 +37,10 @@ Now the inheritance hierarchy takes precedence and handlers for more
 specific exception classes are executed instead of more general ones.
 See :ref:`error-handlers` for specifics.
 
+The :func:`~flask.templating.render_template_string` function has changed to
+autoescape template variables by default. This better matches the behavior
+of :func:`~flask.templating.render_template`.
+
 .. note::
 
     There used to be a logic error allowing you to register handlers
diff --git a/flask/app.py b/flask/app.py
index dae6b24e..f0a8b69b 100644
--- a/flask/app.py
+++ b/flask/app.py
@@ -724,12 +724,12 @@ class Flask(_PackageBoundObject):
 
     def select_jinja_autoescape(self, filename):
         """Returns ``True`` if autoescaping should be active for the given
-        template name.
+        template name. If no template name is given, returns `True`.
 
         .. versionadded:: 0.5
         """
         if filename is None:
-            return False
+            return True
         return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))
 
     def update_template_context(self, context):
diff --git a/flask/templating.py b/flask/templating.py
index 59fd988e..8c95a6a7 100644
--- a/flask/templating.py
+++ b/flask/templating.py
@@ -127,7 +127,7 @@ def render_template(template_name_or_list, **context):
 
 def render_template_string(source, **context):
     """Renders a template from the given template source string
-    with the given context.
+    with the given context. Template variables will be autoescaped.
 
     :param source: the source code of the template to be
                    rendered
diff --git a/tests/templates/non_escaping_template.txt b/tests/templates/non_escaping_template.txt
new file mode 100644
index 00000000..542864e8
--- /dev/null
+++ b/tests/templates/non_escaping_template.txt
@@ -0,0 +1,8 @@
+{{ text }}
+{{ html }}
+{% autoescape false %}{{ text }}
+{{ html }}{% endautoescape %}
+{% autoescape true %}{{ text }}
+{{ html }}{% endautoescape %}
+{{ text }}
+{{ html }}
diff --git a/tests/test_templating.py b/tests/test_templating.py
index 293ca06f..b60a592a 100644
--- a/tests/test_templating.py
+++ b/tests/test_templating.py
@@ -81,10 +81,29 @@ def test_escaping():
     ]
 
 def test_no_escaping():
+    text = '<p>Hello World!'
+    app = flask.Flask(__name__)
+    @app.route('/')
+    def index():
+        return flask.render_template('non_escaping_template.txt', text=text,
+                                     html=flask.Markup(text))
+    lines = app.test_client().get('/').data.splitlines()
+    assert lines == [
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'&lt;p&gt;Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!',
+        b'<p>Hello World!'
+    ]
+
+def test_escaping_without_template_filename():
     app = flask.Flask(__name__)
     with app.test_request_context():
         assert flask.render_template_string(
-            '{{ foo }}', foo='<test>') == '<test>'
+            '{{ foo }}', foo='<test>') == '&lt;test&gt;'
         assert flask.render_template('mail.txt', foo='<test>') == \
             '<test> Mail'