Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Should set blocks be safe by default?

See original GitHub issue

Right now this testcase would fail:

    def test_set_block(self):
        env = Environment(extensions=['jinja2.ext.autoescape'],
                          autoescape=True)
        tmpl = env.from_string('{% set foo %}<br>{% endset %}{{ foo }}')
        assert tmpl.render() == '<br>'

>       assert tmpl.render() == '<br>'
E       assert '&lt;br&gt;' == '<br>'
E         - &lt;br&gt;
E         + <br>

The contents of a set block is very similar to a macro though, so I think this behavior is not what you’d expect. Especially since you easily get double escaping, as shown in an extended version of the testcase above:

    def test_set_block(self):
        env = Environment(extensions=['jinja2.ext.autoescape'],
                          autoescape=True)
        tmpl = env.from_string('{% set foo %}{{ bar }}<br>{% endset %}'
                               '{{ foo }}')
>       assert tmpl.render(bar='<hr>') == '&lt;hr&gt;<br>'
E       assert '&amp;lt;hr&amp;gt;&lt;br&gt;' == '&lt;hr&gt;<br>'
E         - &amp;lt;hr&amp;gt;&lt;br&gt;
E         + &lt;hr&gt;<br>

If I add the safe filter to my set block (added in #489) the testcase passes fine, but I think this is the most common use case and thus shouldn’t require a filter.

Issue Analytics

  • State:closed
  • Created 8 years ago
  • Reactions:1
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
aaugustincommented, Jan 6, 2017

Thanks Armin!

0reactions
aaugustincommented, Nov 25, 2016

I just hit this issue as well.

My workaround:

{% set foo %} ... {% endset %}
{% set foo = foo | safe %}{# workaround for https://github.com/pallets/jinja/issues/490 #}
Read more comments on GitHub >

github_iconTop Results From Across the Web

Manage your allows and blocks in the Tenant Allow/Block List
By default, block entries for domains and email addresses, files and URLs expire after 30 days, but you can set them to expire...
Read more >
Block connections to your Mac with a firewall - Apple Support
On your Mac, choose Apple menu > System Settings, click Network in the sidebar, then click Firewall. (You may need to scroll down.)....
Read more >
Change site permissions - Computer - Google Chrome Help
You can set permissions for a website without changing your default settings. ... The site will use its settings instead of the default...
Read more >
World border - Minecraft Wiki - Fandom
Sets the number of blocks a player may safely be outside the world border before taking damage. The default is 5 blocks. /worldborder...
Read more >
Default and custom security groups - AWS Documentation
A security group name must be unique for the VPC. The following are the default rules for a security group that you create:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

overrideable autoescape

Next page

Bug: floats are arbitrarily rounded (no filters used)