Open keeakita opened 3 weeks ago
Routing to @getsentry/product-owners-other for triage ⏲️
Y'know, I thought I could solve this in some fairly generic way, but this API is really painful. The options:
mark_safe()
in a central location. Doesn't work well because some of these templates have objects in their context that aren't strings.{% autoescape off %}
, which opens us to regressions in the future if someone misses thissafe
filter, which also has the regression issueTEMPLATES
with autoescape=FALSE
, then reference it by name. This would be fine except for the fact that default loader.render_to_string, used in multiple parts of the codebase, when not given a value for using=
, will iterate through all configured engines. Adding an engine with autoescape turned off could result in unsafe renders app-wide! That's mildly terrifying.
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
Expected Result
Actual Result
Email is rendered with inappropriate escaping that's not needed
Product Area
Other
Link
No response
DSN
No response
Version
No response