-
Notifications
You must be signed in to change notification settings - Fork 641
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add forceescape filter #782
Add forceescape filter #782
Comments
I think that the issue is here.
I wonder, should we change it to: escape: function(input) {
// Some dirty way to ensure that it is an Object,
// and thus probably a return of caller()
if(typeof input === 'object' && input && !Array.isArray(input)) {
// Explicitly pass value of caller() as input
input = input.val;
}
if(typeof input === 'string') {
return r.markSafe(lib.escape(input));
}
return input;
}, |
Can you bisect to find the origin of the change to |
Hm, seems issue not related to I've checked it on older version — {% macro test() %}
test
{{ log(caller()) }}
{{ log(caller()|escape) }}
{% endmacro %}
{% call test() %}
1111<br>test
{% endcall %}
After some testing it started to be clear, that those two PRs leading to those breaking changes:
Please note, that to revert old behavior, your have to revert both PRs. So, maybe we have to change |
I think the object you are referring to is a |
I always thought that purpose of Isn't return of Maybe I'm missing something, but I have a feeling that Nunjucks assumes that string Regardless of it, if Jinja2 behaves in same way and I assume About what we're doing with it — we're outputting content of the macro is |
No, And no, I don't think there's a difference between how nunjucks and Jinja evaluate string safeness, but again, if you can find a counter-example please do. Neither nunjucks nor Jinja ever mark a string safe automatically based on its contents; safeness is a property derived from the source of the string (and it's purpose is specifically to declare that even though a string contains unescaped HTML markup, that markup is from a safe source, and should be rendered, not escaped). E.g. If you want an unconditional escaping that disregards the source context, that's what |
@carljm Thanks for explanation. Your explanation sound argumentative, but I still have some doubts (sorry! :). It would really be good to have tested this in Jinja2. Unfortunately, I can't do this myself, since I'm quite far from Python world. @vecmezoni @jbmoelker this is quite old issue, I wonder can we do something about it. In any situation, we would need Here is PRs where can be seen code of old https://github.com/mozilla/nunjucks/pull/701/files |
Temporal solution of mozilla/nunjucks#782
Seems that escaping of
caller()
no longer works with switched off default auto escaping and returns raw html.I'm not sure is it intentional, or is it a bug.
should return
but returns
The text was updated successfully, but these errors were encountered: