Menu
I have flask, jinja2 and python.
So, I'm trying to display text that is stored as markdown.
I do this
class Article(db.Entity):
...
def html(self):
return markdown(self.text) # from markdown import markdown
Next in my view I do this
html_text = article_.html()
return render_template('article.html', article=article_, comments=comments, user=user, text=html_text)
And in article.html I just have this line
{{text}}
So, with data stored in db as *im busy* I have <p><em>im busy</em></p> in my browser.
I tried to use .replace('<', '<').replace('>', '>') but it changes nothing.
576
Escaping everything except for safe values will also mean that Jinja is escaping variables known to not include HTML (e.g. numbers, booleans) which can be a huge performance hit. The information about the safety of a variable is very fragile.
Auto Escape is an optional mode of execution in the Template System developed to provide a better defense against cross-site scripting (XSS) in web applications.
To escape jinja2 syntax in a jinja2 template with Python Flask, we can put render the template code without interpretation by putting the code in the {% raw %} block.
When autoescaping is enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables. Without escaping HTML input the application becomes vulnerable to Cross Site Scripting (XSS) attacks. Unfortunately, autoescaping is False by default.
Do you know safe filter?
{{text|safe}}
Passing HTML to template using Flask/Jinja2
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
