Version of linebreaksbr for unsafe strings

[WesleyAC]

It would be great to have a version of the linebreaksbr function where all of the input text is automatically escaped, but the <br>s that are inserted aren't. I'm worried with the current system that people might stick in a | safe in order to get things to work without realizing what they're doing (and in any case, it's useful to have a easy way to turn line breaks into html for untrusted inputs)

[Keats]

This filter comes from Django so I would make it behave the same

[WesleyAC]

That makes sense, but are you open to including a filter that does what I described here with a different name, or to adding a parameter to the linebreaksbr filter that would enable the behaviour described here?

[DK26]

This also concerns me. It enables functionality over the expense of security (which kinda beats the purpose of escaping in the first place). Since Tera is its own thing, should it be copying bugs, security vulnerabilities, misthoughts or other defects from the other languages? I think this is usually where Tera actually shines and excels.

Please do reconsider this ;-)

[DK26]

A potential fix could be involving replacing any \r\n or \r or \n after the escaping process is concluded (if not disabled by safe).

(\r for CR in MacOS https://www.oreilly.com/library/view/mac-os-x/0596004605/ch01s06.html)

inject = "<IFRAME SRC="javascript:alert('XSS');"></IFRAME>\nfoobar"

Welcome, {{ $inject }} !

Can be rendered as:

Welcome, <IFRAME SRC="javascript:alert('XSS');"></IFRAME>\nfoobar !

And then after the \r\n, \r and \n are replacemented with <br>:

Welcome, &lt;IFRAME SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/IFRAME&gt;<br>foobar !

This would render the escaped result:

Welcome, <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
foobar !

[Keats]

It will probably change for the v2