Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Autoescape does not work well across blocks/inheritance #1898

Open
ThiefMaster opened this issue Oct 13, 2023 · 0 comments
Open

Autoescape does not work well across blocks/inheritance #1898

ThiefMaster opened this issue Oct 13, 2023 · 0 comments

Comments

@ThiefMaster
Copy link
Member

ThiefMaster commented Oct 13, 2023

Description

I have a base template that uses {% autoescape false %} around a block because the contents of that particular block are used in a plaintext context that does not need escaping, while the rest of the template does.

However, when override that block in the main template, autoescaping still happens - see test1 in the output below.

test2 is completely weird and makes no sense at all - wrapping the block in autoescape should have no effect whatsoever (since nothing outside of blocks should be taken into account in a template that uses {% extends %}.

test3 has the desired result, but at the cost of having to duplicate the autoescape false block in each child template, which is exactly what I'm trying to avoid.

Example

import textwrap

from jinja2 import DictLoader, Environment, select_autoescape

TEMPLATES = {
    'base.html': textwrap.dedent('''
        Subject: {% autoescape false %}{% block subject %}{% endblock %}{% endautoescape %}
        Body: {% block body %}{% endblock %}
    ''').strip(),
    'test1.html': textwrap.dedent('''
        {% extends 'base.html' %}
        {% block subject %}{{ text }}{% endblock %}
        {% block body %}{{ text }}{% endblock %}
    ''').strip(),
    'test2.html': textwrap.dedent('''
        {% extends 'base.html' %}
        {% autoescape false -%}
            {% block subject %}{{ text }}{% endblock %}
        {%- endautoescape %}
        {% block body %}{{ text }}{% endblock %}
    ''').strip(),
    'test3.html': textwrap.dedent('''
        {% extends 'base.html' %}
        {% block subject %}
            {%- autoescape false %}{{ text }}{% endautoescape -%}
        {% endblock %}
        {% block body %}{{ text }}{% endblock %}
    ''').strip(),
}

TEXT = "hel'lo"

env = Environment(loader=DictLoader(TEMPLATES), autoescape=select_autoescape())
print('test1')
print(env.get_template('test1.html').render(text=TEXT))
print()
print('test2')
print(env.get_template('test2.html').render(text=TEXT))
print()
print('test3')
print(env.get_template('test3.html').render(text=TEXT))

Output

test1
Subject: hel'lo
Body: hel'lo

test2
hel'loSubject: hel'lo
Body: hel'lo

test3
Subject: hel'lo
Body: hel'lo

Environment

  • Python version: 3.11.6 + 3.12.0 (+ probably all other versions)
  • Jinja version: 3.1.2 + ... + 2.7 (did not test anything older than that)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants