Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

|linebreaks, |linebreaksbr and |paragraphbreaks don't work as intended with regards to escaping #74

Closed
Kijewski opened this issue Jul 13, 2024 · 1 comment · Fixed by #77
Closed

|linebreaks, |linebreaksbr and |paragraphbreaks don't work as intended with regards to escaping #74

Kijewski opened this issue Jul 13, 2024 · 1 comment · Fixed by #77

Comments

@Kijewski
Copy link
Collaborator

The examples in the book to e.g. |paragraphbreaks are wrong. The output of

{{ "hello\n\nworld"|paragraphbreaks }}

isn't

<p>hello</p><p>world</p>

but

&#60;p&#62;hello&#60;/p&#62;&#60;p&#62;world&#60;/p&#62;

because the filter is not marked as HTML safe, i.e. it returns Result<impl fmt::Display, Infallible> instead of Result<HtmlSafeOutput<impl fmt::Display>, Infallible>. That makes it tempting to use {{ "hello\n\nworld"|paragraphbreaks|safe }}, but the output of |paragraphbreaks is not safe, because it does not escape its input.

Should we auto-escape the input of |paragraphbreaks and mark its output as safe? Right now you can do that manually with {{ "hello\n\nworld"|escape|paragraphbreaks|safe }}, which looks ridiculous.
@GuillaumeGomez
Copy link
Collaborator

Yes sounds like a good idea!

@Kijewski Kijewski mentioned this issue Jul 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

filters: proper escaping for |linebreaks and friends Kijewski/askama
2 participants
@Kijewski @GuillaumeGomez