maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

use Jinja name consistently

Browse source
This commit is contained in:
David Lord 2025-08-19 10:43:16 -07:00
parent 38b4c1e19b
commit d8259eb119
No known key found for this signature in database
GPG key ID: 43368A7AA8CC5926
9 changed files with 31 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/web-security.rst
View file

@ -51,12 +51,12 @@ tags. For more information on that have a look at the Wikipedia article
on `Cross-Site Scripting
<https://en.wikipedia.org/wiki/Cross-site_scripting>`_.
Flask configures Jinja2 to automatically escape all values unless
Flask configures Jinja to automatically escape all values unless
explicitly told otherwise. This should rule out all XSS problems caused
in templates, but there are still other places where you have to be
careful:
- generating HTML without the help of Jinja2
- generating HTML without the help of Jinja
- calling :class:`~markupsafe.Markup` on data submitted by users
- sending out HTML from uploaded files, never do that, use the
``Content-Disposition: attachment`` header to prevent that problem.
@ -65,7 +65,7 @@ careful:
trick a browser to execute HTML.
Another thing that is very important are unquoted attributes. While
Jinja2 can protect you from XSS issues by escaping HTML, there is one
Jinja can protect you from XSS issues by escaping HTML, there is one
thing it cannot protect you from: XSS by attribute injection. To counter
this possible attack vector, be sure to always quote your attributes with
either double or single quotes when using Jinja expressions in them: