Skip to content

turn on autoescape for flask.templating.render_template_string #1176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alanhamlett wants to merge 3 commits into from
Closed

turn on autoescape for flask.templating.render_template_string #1176

alanhamlett wants to merge 3 commits into from
+31 −7

Conversation

@alanhamlett
Copy link
Contributor

@alanhamlett alanhamlett commented Sep 14, 2014

This seems like a sane default, since Flask turns on autoescape by default for html files when using the more common render_template so users will be expecting render_template_string to autoescape their template variables.

@untitaker
Copy link
Contributor

untitaker commented Sep 14, 2014

Sensible or not, this is a drastical change in behavior and a breakage of the API that deserves more discussion than just a simple PR.

@alanhamlett
Copy link
Contributor Author

alanhamlett commented Sep 15, 2014

@untitaker sure, where do we start?

@untitaker
Copy link
Contributor

untitaker commented Sep 15, 2014

There are a few questions unanswered:

  • How to deal with code that relies on the current default
  • Whether the change is worth the compatibility breakage
  • Which reasons @mitsuhiko originally had for the current default

@alanhamlett
Copy link
Contributor Author

alanhamlett commented Dec 16, 2014

How to deal with code that relies on the current default

This search finds too many usages than I know how to deal with, so just a note in the release changes?
https://github.com/search?q=render_template_string&type=Code

Whether the change is worth the compatibility breakage

I'm always for breaking compatibility in favor of better defaults, but it's not only my decision.

Which reasons @mitsuhiko originally had for the current default

@mitsuhiko any input?

@alanhamlett
Copy link
Contributor Author

alanhamlett commented Jun 23, 2015

What should we do about this? If this pull request isn't going to be merged I'll remove it...

@untitaker
Copy link
Contributor

untitaker commented Jun 23, 2015

I think it should be included in 1.0, but mitsuhiko should decide.

It doesn't seem that he is reachable atm, but please reopen anyway.

On 23 June 2015 09:34:05 CEST, Alan Hamlett notifications@github.com wrote:

Closed #1176.

Reply to this email directly or view it on GitHub:
#1176 (comment)

@alanhamlett alanhamlett mentioned this pull request Jun 24, 2015
Closed
@alanhamlett
Copy link
Contributor Author

alanhamlett commented Jun 24, 2015

I deleted the fork, so can't reopen. Created a new pull request #1515.

@garrettr garrettr mentioned this pull request Dec 30, 2016
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alanhamlett @untitaker