I am researching some security bugs within some websites and would like to know if jinja2 enables autoescape by default. According to the Jinja documentation ( http://jinja.pocoo.org/docs/2.9/faq/#why-is-autoescaping-not-the-default ), it doesn't, but while I was testing the app on a new system, it was enabled (I may have accidentally done that though, not sure.
Can anyone shine some light on this?
According to the flask
documentation :
Unless customized, Jinja2 is configured by Flask as follows:
autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using
render_template()
.
Also:
autoescaping is enabled for all strings when using
render_template_string()
.
Finally:
a template has the ability to opt in/out autoescaping with the
{% autoescape %}
tag.
So, while jinja
may not autoescape by default, flask
turns on Jinja's autoescaping by default.
As @mgilson answer states, autoescape is NOT enabled by default on all files, but only on those ending with .html
, .htm
, .xml
and .xhtml
. Not everyone uses these extensions because they may be misleading: the code they contain is not normal (X)HTML code, but rather Jinja templates; to clarify this some people use the extension .j2
.
In order to enable autoescape for all files regardless of their extension, one can use the following code:
app.jinja_options["autoescape"] = lambda _: True
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.