-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autoescape temlpates by default #178
Conversation
If a custom override for autoescape is not present the default behaviour will be to escape templates with extensions html, htm, xhtml, xml, and jinja2.
Codecov Report
@@ Coverage Diff @@
## master #178 +/- ##
=====================================
Coverage 100% 100%
=====================================
Files 2 2
Lines 97 99 +2
Branches 13 15 +2
=====================================
+ Hits 97 99 +2
Continue to review full report at Codecov.
|
aiohttp_jinja2/__init__.py
Outdated
@@ -34,6 +36,12 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
return env | |||
|
|||
|
|||
def aiohttp_jinja2_autoescape(template): | |||
if template is None: | |||
return True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The line is not test covered
aiohttp_jinja2/__init__.py
Outdated
@@ -24,6 +24,8 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
env.globals.update(GLOBAL_HELPERS) | |||
if filters is not None: | |||
env.filters.update(filters) | |||
if 'autoescape' not in kwargs: | |||
env.autoescape = aiohttp_jinja2_autoescape |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not autoescape everything by default?
Why do you choose based on template template suffix?
@@ -24,6 +24,8 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
env.globals.update(GLOBAL_HELPERS) | |||
if filters is not None: | |||
env.filters.update(filters) | |||
if 'autoescape' not in kwargs: | |||
env.autoescape = lambda _: True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
env.autoescape = True
would be enough
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
feel like it would've been easier to fix this yourself...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- You are asking for new feature.
- I personally don't need it but the feature looks interesting, I'm ready for finding a time for review.
- You are providing a PR -- awesome. The PR is not perfect. It requires a couple iterations before merging. You give up after first step.
Do you need the feature? If yes -- please finish the PR. The project is driven by OSS enthusiasts in spare time, personally I busy on other (and more important for me) projects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear I'm not an aiohttp user but noticed this when I was trying out the framework and wanted to make sure developers were aware of it. I do not consider this a feature, but more of a security vulnerability and nobody else seems to know they will need to enable autoescape when using this project
Everybody is busy and in this case both our time has been wasted with this back and forth. I will try again but please consider how much effort you put in typing the above versus actually fixing this issue.
If a custom override for autoescape is not present the default behaviour
will be to escape templates with extensions html, htm, xhtml, xml, and
jinja2.
Closes #177