[Flask] [EXT] Re: render_template_string doesn't render

Patrick L Jones plj at mitre.org
Mon Aug 16 08:32:15 EDT 2021


	I tried the suggestions:
        return render_template_string("""
        {% autoescape false %}
        {% endautoescape %}

What was rendered on the page was:
"\n        \n        <h1>PLEASE CLOSE THIS WINDOW</h1>\n        \n        "

	Any idea of what I'm doing wrong or how to make it render the string?

Thank you,


-----Original Message-----
From: Flask <flask-bounces+plj=mitre.org at python.org> On Behalf Of Dennis Lee Bieber
Sent: Friday, August 13, 2021 5:29 PM
To: flask at python.org
Subject: [EXT] Re: [Flask] render_template_string doesn't render

On Fri, 13 Aug 2021 18:48:55 +0000, Patrick L Jones <plj at mitre.org> declaimed the following:

>def get(self):
>    return render_template_string('<h1>PLEASE CLOSE THIS WINDOW</h1>')

	Per some documentation
Unless customized, Jinja2 is configured by Flask as follows:

    autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using render_template().

    autoescaping is enabled for all strings when using render_template_string().

    a template has the ability to opt in/out autoescaping with the {% autoescape %} tag.
Autoescaping is the concept of automatically escaping special characters for you. Special characters in the sense of HTML (or XML, and thus XHTML) are &, >, <, " as well as '. Because these characters carry specific meanings in documents on their own you have to replace them by so called “entities” if you want to use them for text. Not doing so would not only cause user frustration by the inability to use these characters in text, but can also lead to security problems. (see Cross-Site Scripting (XSS))

Sometimes however you will need to disable autoescaping in templates. This can be the case if you want to explicitly inject HTML into pages, for example if they come from a system that generates secure HTML like a markdown to HTML converter.
To disable the autoescape system in templates, you can use the {% autoescape %} block:

{% autoescape false %}
    <p>autoescaping is disabled here
    <p>{{ will_not_be_escaped }}
{% endautoescape %}

	Wulfraed                 Dennis Lee Bieber         AF6VN
	wlfraed at ix.netcom.com    http://wlfraed.microdiversity.freeddns.org/

Flask mailing list
Flask at python.org

More information about the Flask mailing list