xiaozhu2007
commented
9 months ago For example:
_ev = Environment(
trim_blocks=True, lstrip_blocks=True, autoescape=True, enable_async=True
) Closed xiaozhu2007 closed 9 months ago
xiaozhu2007
commented
9 months ago For example:
_ev = Environment(
trim_blocks=True, lstrip_blocks=True, autoescape=True, enable_async=True
) 
yanyongyu
commented
9 months ago 纯文本模板渲染与html escape无关,请不要混淆场景
Using Jinja2 templates without autoescaping enabled leaves application vulnerable to [XSS attacks](https://owasp.org/www-project-top-ten/2017/A72017-Cross-SiteScripting_(XSS).
Autoescaping is the concept of automatically escaping special characters. Special characters for HTML, XML and XHTMl are &, >, <, " as well as '. These characters carry specific meanings so need to be replaced by so called entities if you want to use them for text. Not doing so makes application susceptible to Cross Site Scripting (XSS) attacks.
When configuring the Jinja2 environment, the option to use autoescaping on input can be specified. By default, autoescaping is disabled. When enabled, Jinja2 will filter input strings to escape any HTML content submitted via template variables.
https://github.com/cscs181/QQ-GitHub-Bot/blob/2fcc039482000b080210749de237bdb08e18080a/src/plugins/nonebot_plugin_status/__init__.py#L54-L56