Escape HTML in substituted text

[snej]

Inja doesn't [seem to] have a way to escape HTML entities in a text substitution. So in any situation where you're displaying a user-provided string in a template, like <div>{{commentText}}</div>, you're open to an HTML (and JS...) injection attack unless you've already escaped the string before putting it in the JSON context.

It would be very nice if inja came with an escape(str) function that escaped all HTML meta-characters in str.

Some template engines escape everything by default, and require you to use a special syntax to bypass it for when you truly want to insert HTML. This is much better from a security standpoint, but has obvious backward-compatibility issues :). Maybe it could be enabled with a flag in the environment?

[snej]

Here's how Jinja does HTML escaping

I really like the |pipe syntax for filters; that would be a great feature to add.

[berthubert]

I really want to use Inja since it looks so nice and minimal, but without any support for escaping it is very hard to use. I have large JSON objects that I would somehow have to escape manually beforehand which seems very weird. Even a simple autoescape would be useful!

[pantor]

Resolved by #292.