diff --git a/CHANGES.rst b/CHANGES.rst index 6c3ff32c..0c89289b 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,6 +9,8 @@ Version 2.2.3 Unreleased +- Autoescaping is now enabled by default for ``.svg`` files. Inside + templates this behavior can be changed with the ``autoescape`` tag. Version 2.2.2 ------------- diff --git a/docs/quickstart.rst b/docs/quickstart.rst index f92bd241..a8d5b3b3 100644 --- a/docs/quickstart.rst +++ b/docs/quickstart.rst @@ -436,6 +436,11 @@ Here is a basic introduction to how the :class:`~markupsafe.Markup` class works: >>> Markup('Marked up » HTML').striptags() 'Marked up ยป HTML' +.. versionchanged:: 2.2 + + In addition to the extensions below, templates with the ``.svg`` extension + are also autoescaped. + .. versionchanged:: 0.5 Autoescaping is no longer enabled for all templates. The following diff --git a/docs/templating.rst b/docs/templating.rst index 3cda995e..f497de73 100644 --- a/docs/templating.rst +++ b/docs/templating.rst @@ -18,7 +18,7 @@ Jinja Setup Unless customized, Jinja2 is configured by Flask as follows: - autoescaping is enabled for all templates ending in ``.html``, - ``.htm``, ``.xml`` as well as ``.xhtml`` when using + ``.htm``, ``.xml``, ``.xhtml``, as well as ``.svg`` when using :func:`~flask.templating.render_template`. - autoescaping is enabled for all strings when using :func:`~flask.templating.render_template_string`. diff --git a/src/flask/app.py b/src/flask/app.py index ce4dcf6a..aa5bd3cc 100644 --- a/src/flask/app.py +++ b/src/flask/app.py @@ -961,11 +961,14 @@ class Flask(Scaffold): """Returns ``True`` if autoescaping should be active for the given template name. If no template name is given, returns `True`. + .. versionchanged:: 2.2 + Autoescaping is now enabled by default for ``.svg`` files. + .. versionadded:: 0.5 """ if filename is None: return True - return filename.endswith((".html", ".htm", ".xml", ".xhtml")) + return filename.endswith((".html", ".htm", ".xml", ".xhtml", ".svg")) def update_template_context(self, context: dict) -> None: """Update the template context with some commonly used variables.