Browse Source

Merge branch 'alanhamlett-master'

Fix #1515
pull/1530/head
Markus Unterwaditzer 9 years ago
parent
commit
db09c6798e
  1. 2
      CHANGES
  2. 5
      docs/templating.rst
  3. 4
      docs/upgrading.rst
  4. 4
      flask/app.py
  5. 2
      flask/templating.py
  6. 8
      tests/templates/non_escaping_template.txt
  7. 21
      tests/test_templating.py

2
CHANGES

@ -68,6 +68,8 @@ Version 1.0
handlers (pull request ``#1393``). handlers (pull request ``#1393``).
- Allow custom Jinja environment subclasses (pull request ``#1422``). - Allow custom Jinja environment subclasses (pull request ``#1422``).
- ``flask.g`` now has ``pop()`` and ``setdefault`` methods. - ``flask.g`` now has ``pop()`` and ``setdefault`` methods.
- Turn on autoescape for ``flask.templating.render_template_string`` by default
(pull request ``#1515``).
Version 0.10.2 Version 0.10.2
-------------- --------------

5
docs/templating.rst

@ -18,7 +18,10 @@ Jinja Setup
Unless customized, Jinja2 is configured by Flask as follows: Unless customized, Jinja2 is configured by Flask as follows:
- autoescaping is enabled for all templates ending in ``.html``, - autoescaping is enabled for all templates ending in ``.html``,
``.htm``, ``.xml`` as well as ``.xhtml`` ``.htm``, ``.xml`` as well as ``.xhtml`` when using
:func:`~flask.templating.render_template`.
- autoescaping is enabled for all strings when using
:func:`~flask.templating.render_template_string`.
- a template has the ability to opt in/out autoescaping with the - a template has the ability to opt in/out autoescaping with the
``{% autoescape %}`` tag. ``{% autoescape %}`` tag.
- Flask inserts a couple of global functions and helpers into the - Flask inserts a couple of global functions and helpers into the

4
docs/upgrading.rst

@ -37,6 +37,10 @@ Now the inheritance hierarchy takes precedence and handlers for more
specific exception classes are executed instead of more general ones. specific exception classes are executed instead of more general ones.
See :ref:`error-handlers` for specifics. See :ref:`error-handlers` for specifics.
The :func:`~flask.templating.render_template_string` function has changed to
autoescape template variables by default. This better matches the behavior
of :func:`~flask.templating.render_template`.
.. note:: .. note::
There used to be a logic error allowing you to register handlers There used to be a logic error allowing you to register handlers

4
flask/app.py

@ -724,12 +724,12 @@ class Flask(_PackageBoundObject):
def select_jinja_autoescape(self, filename): def select_jinja_autoescape(self, filename):
"""Returns ``True`` if autoescaping should be active for the given """Returns ``True`` if autoescaping should be active for the given
template name. template name. If no template name is given, returns `True`.
.. versionadded:: 0.5 .. versionadded:: 0.5
""" """
if filename is None: if filename is None:
return False return True
return filename.endswith(('.html', '.htm', '.xml', '.xhtml')) return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))
def update_template_context(self, context): def update_template_context(self, context):

2
flask/templating.py

@ -127,7 +127,7 @@ def render_template(template_name_or_list, **context):
def render_template_string(source, **context): def render_template_string(source, **context):
"""Renders a template from the given template source string """Renders a template from the given template source string
with the given context. with the given context. Template variables will be autoescaped.
:param source: the source code of the template to be :param source: the source code of the template to be
rendered rendered

8
tests/templates/non_escaping_template.txt

@ -0,0 +1,8 @@
{{ text }}
{{ html }}
{% autoescape false %}{{ text }}
{{ html }}{% endautoescape %}
{% autoescape true %}{{ text }}
{{ html }}{% endautoescape %}
{{ text }}
{{ html }}

21
tests/test_templating.py

@ -81,10 +81,29 @@ def test_escaping():
] ]
def test_no_escaping(): def test_no_escaping():
text = '<p>Hello World!'
app = flask.Flask(__name__)
@app.route('/')
def index():
return flask.render_template('non_escaping_template.txt', text=text,
html=flask.Markup(text))
lines = app.test_client().get('/').data.splitlines()
assert lines == [
b'<p>Hello World!',
b'<p>Hello World!',
b'<p>Hello World!',
b'<p>Hello World!',
b'&lt;p&gt;Hello World!',
b'<p>Hello World!',
b'<p>Hello World!',
b'<p>Hello World!'
]
def test_escaping_without_template_filename():
app = flask.Flask(__name__) app = flask.Flask(__name__)
with app.test_request_context(): with app.test_request_context():
assert flask.render_template_string( assert flask.render_template_string(
'{{ foo }}', foo='<test>') == '<test>' '{{ foo }}', foo='<test>') == '&lt;test&gt;'
assert flask.render_template('mail.txt', foo='<test>') == \ assert flask.render_template('mail.txt', foo='<test>') == \
'<test> Mail' '<test> Mail'

Loading…
Cancel
Save