From cc66213e579d6b35d9951c21b685d0078f373c44 Mon Sep 17 00:00:00 2001 From: Jonah Lawrence Date: Sun, 30 Oct 2022 08:55:51 -0600 Subject: [PATCH] Add .svg to select_jinja_autoescape (#4840) As SVG files are a type of XML file and are similar in nearly all aspects to XML, .svg should also be autoescaped. --- CHANGES.rst | 3 +++ docs/templating.rst | 2 +- src/flask/app.py | 5 ++++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 6c3ff32c..c66bf7b8 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,6 +9,9 @@ Version 2.2.3 Unreleased +- Autoescaping is now enabled by default for ``.svg`` files. Inside + templates this behavior can be changed with the ``autoescape`` tag. + :issue:`4831` Version 2.2.2 ------------- diff --git a/docs/templating.rst b/docs/templating.rst index 3cda995e..f497de73 100644 --- a/docs/templating.rst +++ b/docs/templating.rst @@ -18,7 +18,7 @@ Jinja Setup Unless customized, Jinja2 is configured by Flask as follows: - autoescaping is enabled for all templates ending in ``.html``, - ``.htm``, ``.xml`` as well as ``.xhtml`` when using + ``.htm``, ``.xml``, ``.xhtml``, as well as ``.svg`` when using :func:`~flask.templating.render_template`. - autoescaping is enabled for all strings when using :func:`~flask.templating.render_template_string`. diff --git a/src/flask/app.py b/src/flask/app.py index ce4dcf6a..aa5bd3cc 100644 --- a/src/flask/app.py +++ b/src/flask/app.py @@ -961,11 +961,14 @@ class Flask(Scaffold): """Returns ``True`` if autoescaping should be active for the given template name. If no template name is given, returns `True`. + .. versionchanged:: 2.2 + Autoescaping is now enabled by default for ``.svg`` files. + .. versionadded:: 0.5 """ if filename is None: return True - return filename.endswith((".html", ".htm", ".xml", ".xhtml")) + return filename.endswith((".html", ".htm", ".xml", ".xhtml", ".svg")) def update_template_context(self, context: dict) -> None: """Update the template context with some commonly used variables.