orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enable autoescape for render_template_string

Browse source
This commit is contained in:
Alan Hamlett 2015-06-30 11:00:14 -07:00 committed by Markus Unterwaditzer
parent e4f635f8d7
commit 99c99c4c16
7 changed files with 41 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/templating.rst
View file

@ -18,7 +18,10 @@ Jinja Setup
Unless customized, Jinja2 is configured by Flask as follows:
- autoescaping is enabled for all templates ending in ``.html``,
``.htm``, ``.xml`` as well as ``.xhtml``
``.htm``, ``.xml`` as well as ``.xhtml`` when using
:func:`~flask.templating.render_template`.
- autoescaping is enabled for all strings when using
:func:`~flask.templating.render_template_string`.
- a template has the ability to opt in/out autoescaping with the
``{% autoescape %}`` tag.
- Flask inserts a couple of global functions and helpers into the

4
docs/upgrading.rst
View file

@ -37,6 +37,10 @@ Now the inheritance hierarchy takes precedence and handlers for more
specific exception classes are executed instead of more general ones.
See :ref:`error-handlers` for specifics.
The :func:`~flask.templating.render_template_string` function has changed to
autoescape template variables by default. This better matches the behavior
of :func:`~flask.templating.render_template`.
.. note::
There used to be a logic error allowing you to register handlers