disabling autoescape in flask

Question

I want to show some text to the user. the string variable I'm sending has multiple newline characters and I dont want \n to be displayed. so I did:

footext = """f
o
o"""

#footext == "f\no\no"

@app.route("/someurl")
def foo():
    return render_template("bar.html", text = footext.replace("\n", "<br />"))

bar.html :

<html>
{{ text }}
</html>

However autoescape is enabled and what I see is f<br />o<br />o. Also my method isn't safe, I want every tag except <br /> to be escaped from the text. I took a look at flask.Markup module and however they don't really work either.

What is the proper way to do this?

Answer 1

There are two reasonable approaches you could take.

Solution 1

As you are combining unsafe input with HTML into a single variable flask.Markup is actually quite a handy way to do this. Basic idea is to split your text on the newline characters, make sure you HTML escape each of the lines which you do not trust, then glue them back together joined by <br /> tags which you do trust.

Here's the complete app to demonstrate this. It uses the same bar.html template as in your question. Note that I've added some unsafe HTML to the footext as a demonstration of why turning off autoescaping is not a safe solution to your problem.

import flask

app = flask.Flask(__name__)

footext = """f
o
<script>alert('oops')</script>
o"""


@app.route("/foo")
def foo():
    text = ""
    for line in footext.split('\n'):
        text += flask.Markup.escape(line) + flask.Markup('<br />')
    return flask.render_template("bar.html", text=text)

if __name__ == "__main__":
    app.run(debug=True)

Solution 2

Another option would be to push the complexity into your template, leaving you with a much simpler view. Just split footext into lines, then you can loop over it in your template and autoescaping will take care of keeping this safe.

Simpler view:

@app.route("/foo")
def foo():
    return flask.render_template("bar.html", text=footext.split('\n'))

Template bar.html becomes:

<html>
    {%- for line in text -%}
        {{ line }}
        {%- if not loop.last -%}
            <br />
        {%- endif -%}
    {%- endfor -%}
</html>

Conclusion

I personally prefer solution 2, because it puts the rendering concerns (lines are separated by <br /> tags) in the template where they belong. If you ever wanted to change this in future to, say, show the lines in a bulleted list instead, you'd just have to change your template, not your code.

Answer 2

I will leave my previous answer as a bad example.

A very good solution for this kind of thing is a custom filter, which would let you use a syntax such as

{{ block_of_text | nl2br }}

which, conveniently, you can do with this nl2br filter snippet (or easily customize)!