Jinja 2 safe keyword
Question:
I have a little problem understanding what an expression like {{ something.render() | safe }}
does .
From what I have seen, without the safe
keyword it outputs the entire html document, not just the true content.
What I would like to know, is what it actually does, how it functions .
Answers:
The safe
filter explicitly marks a string as “safe”, i.e., it should not be automatically-escaped if auto-escaping is enabled.
The documentation on this filter is here.
See the section on manual escaping to see which characters qualify for escaping.
Normally text is HTML-escaped (so <b>
would be written out as <b>
, which would render as <b>
).
When you put |safe
after something, you’re telling the template engine that you have already escaped the text yourself, i.e. “it’s safe to render this directly”. So it will not do that encoding for you.
For more information: http://jinja.pocoo.org/docs/templates/#html-escaping
For anyone coming here looking to use the safe filter programmatically: wrap it in a markupsafe.Markup
class, on which Jinja2 depends on.
Expanding on @data’s answer, here’s an example of using markupsafe.Markup
:
import markupsafe
vals = {}
vals["name"] = markupsafe.Markup("<b>Duck</b>, Donald")
html = template.render(vals)
The resulting HTML will show Donald’s last name in bold wherever the template contains {{name}}
.
You can go this way
post.body is the variable that is getting the data from the database or any file.
{{ post.body | safe }}
I hope you will get it.
I have a little problem understanding what an expression like {{ something.render() | safe }}
does .
From what I have seen, without the safe
keyword it outputs the entire html document, not just the true content.
What I would like to know, is what it actually does, how it functions .
The safe
filter explicitly marks a string as “safe”, i.e., it should not be automatically-escaped if auto-escaping is enabled.
The documentation on this filter is here.
See the section on manual escaping to see which characters qualify for escaping.
Normally text is HTML-escaped (so <b>
would be written out as <b>
, which would render as <b>
).
When you put |safe
after something, you’re telling the template engine that you have already escaped the text yourself, i.e. “it’s safe to render this directly”. So it will not do that encoding for you.
For more information: http://jinja.pocoo.org/docs/templates/#html-escaping
For anyone coming here looking to use the safe filter programmatically: wrap it in a markupsafe.Markup
class, on which Jinja2 depends on.
Expanding on @data’s answer, here’s an example of using markupsafe.Markup
:
import markupsafe
vals = {}
vals["name"] = markupsafe.Markup("<b>Duck</b>, Donald")
html = template.render(vals)
The resulting HTML will show Donald’s last name in bold wherever the template contains {{name}}
.
You can go this way
post.body is the variable that is getting the data from the database or any file.
{{ post.body | safe }}
I hope you will get it.