Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Hotfix: disable autoescape by default when rendering Jinja2 templates #8394

Merged
merged 2 commits into from Sep 24, 2020
Merged

Hotfix: disable autoescape by default when rendering Jinja2 templates #8394

merged 2 commits into from Sep 24, 2020

Conversation

anoadragon453
Copy link
Member

@anoadragon453 anoadragon453 commented Sep 24, 2020
edited

#8037 changed the default autoescape option when rendering Jinja2 templates from False to True. This caused some bugs, noticeably around redirect URLs being escaped in SAML2 auth confirmation templates, causing those URLs to break for users.

This change returns the previous behaviour as it stood. We may want to look at each template individually and see whether autoescaping is a good idea at some point, but for now lets just fix the breakage.

@anoadragon453
Disable autoescape by default when rendering Jinja2 templates
b536468 
templates from False to True. This caused some bugs, noticiably around
redirect URLs being escaped in SAML2 auth confirmation templates, causing
those URLs to break.

This change returns the previous behaviour as it stood. We may want to
look at each template individually and see whether autoescaping is a good
idea at some point, but for now lets just fix the breakage.
@anoadragon453
Add changelog
c162c35
@anoadragon453 anoadragon453 changed the base branch from release-v1.20.0 to release-v1.20.1 September 24, 2020 15:00
clokep
clokep approved these changes Sep 24, 2020
View reviewed changes
Copy link
Contributor

@clokep clokep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems good, this essentially partially reverts #8037, specifically https://github.com/matrix-org/synapse/pull/8037/files#diff-70bd890cc0062e49a9de693507c8407aL179-L182

And note that autoescape is off by default although the documentation isn't super clear about this.

@anoadragon453
Copy link
Member Author

Merging even though Membership event with an invalid displayname in the send_join response should not cause room join to fail is failing as that's intended for code on develop.

@anoadragon453 anoadragon453 merged commit 3f4a2a7 into release-v1.20.1 Sep 24, 2020
@anoadragon453 anoadragon453 deleted the anoa/saml_template_autoescape branch September 24, 2020 15:24
@clokep clokep mentioned this pull request Sep 25, 2020
Merged
@clokep clokep mentioned this pull request Jan 21, 2021
Merged
babolivier pushed a commit that referenced this pull request Sep 1, 2021
@anoadragon453
Merge commit '920dd1083' into anoa/dinsic_release_1_21_x
d70f909 
* commit '920dd1083':
  1.20.1
  Mark the shadow_banned column as boolean in synapse_port_db. (#8386)
  Hotfix: disable autoescape by default when rendering Jinja2 templates (#8394)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@clokep clokep clokep approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@anoadragon453 @clokep