Hello, {escape(name)}!
" + return "Hello, World!
" So what did that code do? @@ -38,14 +37,6 @@ So what did that code do? browser. The default content type is HTML, so HTML in the string will be rendered by the browser. -.. note:: HTML escaping - - When returning HTML (the default response type in Flask), any user - input rendered in the output must be escaped to protect from - injection attacks. HTML templates in Jinja, introduced later, will - do this automatically. :func:`~markupsafe.escape`, shown above, can - be used manually. It's omitted for brevity in the examples below. - Save it as :file:`hello.py` or something similar. Make sure to not call your application :file:`flask.py` because this would conflict with Flask itself. @@ -177,6 +168,34 @@ documentation`_. Have another debugger in mind? See :ref:`working-with-debuggers`. +HTML Escaping +------------- + +When returning HTML (the default response type in Flask), any +user-provided values rendered in the output must be escaped to protect +from injection attacks. HTML templates rendered with Jinja, introduced +later, will do this automatically. + +:func:`~markupsafe.escape`, shown here, can be used manually. It is +omitted in most examples for brevity, but you should always be aware of +how you're using untrusted data. + +.. code-block:: python + + from markupsafe import escape + + @app.route("/