Skip to content Skip to sidebar Skip to footer
Home / Flask / Python

Disabling Autoescape In Flask

Post a Comment
I want to show some text to the user. the string variable I'm sending has multiple newline characters and I dont want \n to be displayed. so I did: footext = '''f o o''' #footext

Solution 1:

There are two reasonable approaches you could take.

Solution 1

As you are combining unsafe input with HTML into a single variable flask.Markup is actually quite a handy way to do this. Basic idea is to split your text on the newline characters, make sure you HTML escape each of the lines which you do not trust, then glue them back together joined by <br /> tags which you do trust.

Here's the complete app to demonstrate this. It uses the same bar.html template as in your question. Note that I've added some unsafe HTML to the footext as a demonstration of why turning off autoescaping is not a safe solution to your problem.

import flask

app = flask.Flask(__name__)

footext = """f
o
<script>alert('oops')</script>
o"""@app.route("/foo")deffoo():
    text = ""for line in footext.split('\n'):
        text += flask.Markup.escape(line) + flask.Markup('<br />')
    return flask.render_template("bar.html", text=text)

if __name__ == "__main__":
    app.run(debug=True)

Solution 2

Another option would be to push the complexity into your template, leaving you with a much simpler view. Just split footext into lines, then you can loop over it in your template and autoescaping will take care of keeping this safe.

Simpler view:

@app.route("/foo")deffoo():
    return flask.render_template("bar.html", text=footext.split('\n'))

Template bar.html becomes:

<html>
    {%- for line in text -%}
        {{ line }}
        {%- if not loop.last -%}
            <br />
        {%- endif -%}
    {%- endfor -%}
</html>

Conclusion

I personally prefer solution 2, because it puts the rendering concerns (lines are separated by <br /> tags) in the template where they belong. If you ever wanted to change this in future to, say, show the lines in a bulleted list instead, you'd just have to change your template, not your code.

Solution 2:

I will leave my previous answer as a bad example.

A very good solution for this kind of thing is a custom filter, which would let you use a syntax such as 

{{ block_of_text | nl2br }}

which, conveniently, you can do with this nl2br filter snippet (or easily customize)!

Solution 3:

Turn autoescaping off in the Jinja2 template, or use a raw block.

Post a Comment for "Disabling Autoescape In Flask"