Suggestion: use property-branding to signify a SafeString

[callumlocke]

Currently, the Nunjucks runtime does val instanceof SafeString to check if a string is supposed to be safe.

This fails in the (admittedly unusual) situation where there are two independent copies of the Nunjucks runtime in play in the same process.

Another way would be to 'brand' all safe strings with a special non-enumerable property named something like _nunjucksSafeString, and always check for this property to see if a string is safe (instead of using instanceof, which is notoriously unreliable).

A simple boolean property is more robust and would work across VM boundaries. For example, the SafeString prototype could be modified as follows:

SafeString.prototype = Object.create(String.prototype, {
    length: { writable: true, configurable: true, value: 0 },
    _nunjucksSafeString: { value: true }
});

[ArmorDarks]

Sounds like good idea. But this repo is mostly dead, just for the note...

[niftylettuce]

As I mentioned here #979 (comment) I believe this to be a v2 to v3 upgrade issue.

[niftylettuce]

Also, if you set autoescape: false it fixes the issue.

[fdintino]

@callumlocke I'm fine with this change. Any chance you could open a pull request? I could copy your changes here but it would be nice to also have a changelog entry and unit test to go along with it.