Is Autoescape default in jinja2 (Flask)?
Question
I am researching some security bugs within some websites and would like to know if jinja2 enables autoescape by default. According to the Jinja documentation ( http://jinja.pocoo.org/docs/2.9/faq/#why-is-autoescaping-not-the-default ), it doesn't, but while I was testing the app on a new system, it was enabled (I may have accidentally done that though, not sure.
Can anyone shine some light on this?
2 answers
solution1
3 ACCPTED 2017-10-26 02:00:05
According to the flask documentation :
Unless customized, Jinja2 is configured by Flask as follows:
autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using
render_template().
Also:
autoescaping is enabled for all strings when using
render_template_string().
Finally:
a template has the ability to opt in/out autoescaping with the
{% autoescape %}tag.
So, while jinja may not autoescape by default, flask turns on Jinja's autoescaping by default.
solution2
1 2021-11-15 18:40:58
As @mgilson answer states, autoescape is NOT enabled by default on all files, but only on those ending with .html , .htm , .xml and .xhtml . Not everyone uses these extensions because they may be misleading: the code they contain is not normal (X)HTML code, but rather Jinja templates; to clarify this some people use the extension .j2 .
In order to enable autoescape for all files regardless of their extension, one can use the following code:
app.jinja_options["autoescape"] = lambda _: True
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.