How do I html-escape dangerous unsanitized input in jinja2?
Question:
Can I do it inside the template or must it be done in python code?
I have a variable that may contain da<ngero>u&s chars. How do I escape it in jinja2?
Answers:
e.g.
{{ user.username|e }}
Pipe it through the |e
filter
You could also tell the environment to autoescape everything:
e = Environment(loader=fileloader, autoescape=True)
note: in jinja1 this is auto_escape
If you want to escape html in your programme, you can do it like this(example):
>>> import jinja2
>>> jinja2.__version__
'2.6'
>>> a
'<script>alert("yy")</script>'
>>> jinja2.escape(a)
Markup(u'<script>alert("yy")</script>')
>>> str(jinja2.escape(a))
'<script>alert("yy")</script>'
Flask has a built in tojson
filter:
You can do a string check and replace with the corresponding escaped characters.
For example: string=I am a special character <
Do the following:
string.replace("<","< ;")
Note that in your code, the space between t and ; has been eliminated. Can’t eliminate this here as it will be formatted to show < instead 😛
Then use jinja2 to print out the formatted string. The < should appear in your display.
Can I do it inside the template or must it be done in python code?
I have a variable that may contain da<ngero>u&s chars. How do I escape it in jinja2?
e.g.
{{ user.username|e }}
Pipe it through the |e
filter
You could also tell the environment to autoescape everything:
e = Environment(loader=fileloader, autoescape=True)
note: in jinja1 this is auto_escape
If you want to escape html in your programme, you can do it like this(example):
>>> import jinja2
>>> jinja2.__version__
'2.6'
>>> a
'<script>alert("yy")</script>'
>>> jinja2.escape(a)
Markup(u'<script>alert("yy")</script>')
>>> str(jinja2.escape(a))
'<script>alert("yy")</script>'
Flask has a built in tojson
filter:
You can do a string check and replace with the corresponding escaped characters.
For example: string=I am a special character <
Do the following:
string.replace("<","< ;")
Note that in your code, the space between t and ; has been eliminated. Can’t eliminate this here as it will be formatted to show < instead 😛
Then use jinja2 to print out the formatted string. The < should appear in your display.