Answer a question

I am researching some security bugs within some websites and would like to know if jinja2 enables autoescape by default. According to the Jinja documentation (http://jinja.pocoo.org/docs/2.9/faq/#why-is-autoescaping-not-the-default), it doesn't, but while I was testing the app on a new system, it was enabled (I may have accidentally done that though, not sure.

Can anyone shine some light on this?

Answers

According to the flask documentation:

Unless customized, Jinja2 is configured by Flask as follows:

autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using render_template().

Also:

autoescaping is enabled for all strings when using render_template_string().

Finally:

a template has the ability to opt in/out autoescaping with the {% autoescape %} tag.

So, while jinja may not autoescape by default, flask turns on Jinja's autoescaping by default.

# python # flask
Logo
Python

Python社区为您提供最前沿的新闻资讯和知识内容

更多推荐

cover

求助!为什么用InsCode部署会出现无限重定向?

avatar Python

如何重塑熊猫。系列

问题:如何重塑熊猫。系列 在我看来,它就像 pandas.Series 中的一个错误。 a = pd.Series([1,2,3,4]) b = a.reshape(2,2) b b 有类型 Series 但无法显示,最后一条语句给出异常,非常冗长,最后一行是“TypeError: %d format: a number is required, not numpy.ndarray”。 b.sha

avatar Python

在哪里可以找到有关 Keras 中默认权重初始化器的文档? [复制]

问题:在哪里可以找到有关 Keras 中默认权重初始化器的文档? [复制] 我刚刚在这里](https://keras.io/initializers/)中阅读了有关[中的 Keras 权重初始化器的信息。在文档中,只介绍了不同的初始化程序。如: model.add(Dense(64, kernel_initializer='random_normal')) 当我没有指定kernel_initia

avatar Python