Please sign in to comment.
Always autoescape jinja environments unless overridden
We were only rendering .html files before, so the old _guess_autoescape function had the effect of always autoescaping .render() (from a file) but never autoescaping .from_string(). However, most places using .from_string() actually render (Qt-)HTML via jinja, so they should escape stuff! Now, we always autoescape, except when the caller uses the jinja.environment.no_autoescape() context manager, which places rendering stylesheets now do. This impacted: - Confirm quit texts (no HTML here) - config.py loading errors (where this was found because of an error containing - a <keybinding>) - Certificate error prompts (should be fine from what I can tell, as the only user-controllable output is the hostname, which cannot contain HTML)
- Loading branch information...
Showing with 23 additions and 24 deletions.