Enable autoescape for render_template_string

2015-06-30 11:00:14 -07:00 · 2015-06-30 11:00:14 -07:00 · 99c99c4c16
commit 99c99c4c16
parent e4f635f8d7
7 changed files with 41 additions and 5 deletions
--- a/flask/app.py
+++ b/flask/app.py
@ -724,12 +724,12 @@ class Flask(_PackageBoundObject):

    def select_jinja_autoescape(self, filename):
        """Returns ``True`` if autoescaping should be active for the given
-        template name.
+        template name. If no template name is given, returns `True`.

        .. versionadded:: 0.5
        """
        if filename is None:
-            return False
+            return True
        return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))

    def update_template_context(self, context):
--- a/flask/templating.py
+++ b/flask/templating.py
@ -127,7 +127,7 @@ def render_template(template_name_or_list, **context):

 def render_template_string(source, **context):
    """Renders a template from the given template source string
-    with the given context.
+    with the given context. Template variables will be autoescaped.

    :param source: the source code of the template to be
                   rendered