Autoescape temlpates by default #178
Conversation
If a custom override for autoescape is not present the default behaviour will be to escape templates with extensions html, htm, xhtml, xml, and jinja2.
Codecov Report
@@ Coverage Diff @@
## master #178 +/- ##
=====================================
Coverage 100% 100%
=====================================
Files 2 2
Lines 97 99 +2
Branches 13 15 +2
=====================================
+ Hits 97 99 +2
Continue to review full report at Codecov.
|
aiohttp_jinja2/__init__.py
Outdated
| @@ -34,6 +36,12 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
| return env | |||
|
|
|||
|
|
|||
| def aiohttp_jinja2_autoescape(template): | |||
| if template is None: | |||
| return True | |||
aiohttp_jinja2/__init__.py
Outdated
| @@ -24,6 +24,8 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
| env.globals.update(GLOBAL_HELPERS) | |||
| if filters is not None: | |||
| env.filters.update(filters) | |||
| if 'autoescape' not in kwargs: | |||
| env.autoescape = aiohttp_jinja2_autoescape | |||
There was a problem hiding this comment.
Why not autoescape everything by default?
Why do you choose based on template template suffix?
| @@ -24,6 +24,8 @@ def setup(app, *args, app_key=APP_KEY, context_processors=(), | |||
| env.globals.update(GLOBAL_HELPERS) | |||
| if filters is not None: | |||
| env.filters.update(filters) | |||
| if 'autoescape' not in kwargs: | |||
| env.autoescape = lambda _: True | |||
There was a problem hiding this comment.
env.autoescape = True would be enough
There was a problem hiding this comment.
feel like it would've been easier to fix this yourself...
There was a problem hiding this comment.
- You are asking for new feature.
- I personally don't need it but the feature looks interesting, I'm ready for finding a time for review.
- You are providing a PR -- awesome. The PR is not perfect. It requires a couple iterations before merging. You give up after first step.
Do you need the feature? If yes -- please finish the PR. The project is driven by OSS enthusiasts in spare time, personally I busy on other (and more important for me) projects.
There was a problem hiding this comment.
To be clear I'm not an aiohttp user but noticed this when I was trying out the framework and wanted to make sure developers were aware of it. I do not consider this a feature, but more of a security vulnerability and nobody else seems to know they will need to enable autoescape when using this project
Everybody is busy and in this case both our time has been wasted with this back and forth. I will try again but please consider how much effort you put in typing the above versus actually fixing this issue.
If a custom override for autoescape is not present the default behaviour
will be to escape templates with extensions html, htm, xhtml, xml, and
jinja2.
Closes #177