The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.
Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.
Release Notes
pallets/jinja (Jinja2)
### [`v3.1.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-314)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.1.3...3.1.4)
Released 2024-05-05
- The `xmlattr` filter does not allow keys with `/` solidus, `>`
greater-than sign, or `=` equals sign, in addition to disallowing spaces.
Regardless of any validation done by Jinja, user input should never be used
as keys to this filter, or must be separately validated first.
:ghsa:`h75v-3vvj-5mfj`
### [`v3.1.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-313)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.1.2...3.1.3)
Released 2024-01-10
- Fix compiler error when checking if required blocks in parent templates are
empty. :pr:`1858`
- `xmlattr` filter does not allow keys with spaces. :ghsa:`h5c8-rqwp-cp95`
- Make error messages stemming from invalid nesting of `{% trans %}` blocks
more helpful. :pr:`1918`
### [`v3.1.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-312)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.1.1...3.1.2)
Released 2022-04-28
- Add parameters to `Environment.overlay` to match `__init__`.
:issue:`1645`
- Handle race condition in `FileSystemBytecodeCache`. :issue:`1654`
### [`v3.1.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-311)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.1.0...3.1.1)
Released 2022-03-25
- The template filename on Windows uses the primary path separator.
:issue:`1637`
### [`v3.1.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-310)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.0.3...3.1.0)
Released 2022-03-24
- Drop support for Python 3.6. :pr:`1534`
- Remove previously deprecated code. :pr:`1544`
- `WithExtension` and `AutoEscapeExtension` are built-in now.
- `contextfilter` and `contextfunction` are replaced by
`pass_context`. `evalcontextfilter` and
`evalcontextfunction` are replaced by `pass_eval_context`.
`environmentfilter` and `environmentfunction` are replaced
by `pass_environment`.
- `Markup` and `escape` should be imported from MarkupSafe.
- Compiled templates from very old Jinja versions may need to be
recompiled.
- Legacy resolve mode for `Context` subclasses is no longer
supported. Override `resolve_or_missing` instead of
`resolve`.
- `unicode_urlencode` is renamed to `url_quote`.
- Add support for native types in macros. :issue:`1510`
- The `{% trans %}` tag can use `pgettext` and `npgettext` by
passing a context string as the first token in the tag, like
`{% trans "title" %}`. :issue:`1430`
- Update valid identifier characters from Python 3.6 to 3.7.
:pr:`1571`
- Filters and tests decorated with `@async_variant` are pickleable.
:pr:`1612`
- Add `items` filter. :issue:`1561`
- Subscriptions (`[0]`, etc.) can be used after filters, tests, and
calls when the environment is in async mode. :issue:`1573`
- The `groupby` filter is case-insensitive by default, matching
other comparison filters. Added the `case_sensitive` parameter to
control this. :issue:`1463`
- Windows drive-relative path segments in template names will not
result in `FileSystemLoader` and `PackageLoader` loading from
drive-relative paths. :pr:`1621`
### [`v3.0.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-303)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.0.2...3.0.3)
Released 2021-11-09
- Fix traceback rewriting internals for Python 3.10 and 3.11.
:issue:`1535`
- Fix how the native environment treats leading and trailing spaces
when parsing values on Python 3.10. :pr:`1537`
- Improve async performance by avoiding checks for common types.
:issue:`1514`
- Revert change to `hash(Node)` behavior. Nodes are hashed by id
again :issue:`1521`
- `PackageLoader` works when the package is a single module file.
:issue:`1512`
### [`v3.0.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-302)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.0.1...3.0.2)
Released 2021-10-04
- Fix a loop scoping bug that caused assignments in nested loops
to still be referenced outside of it. :issue:`1427`
- Make `compile_templates` deterministic for filter and import
names. :issue:`1452, 1453`
- Revert an unintended change that caused `Undefined` to act like
`StrictUndefined` for the `in` operator. :issue:`1448`
- Imported macros have access to the current template globals in async
environments. :issue:`1494`
- `PackageLoader` will not include a current directory (.) path
segment. This allows loading templates from the root of a zip
import. :issue:`1467`
### [`v3.0.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-301)
[Compare Source](https://togithub.com/pallets/jinja/compare/3.0.0...3.0.1)
Released 2021-05-18
- Update MarkupSafe dependency to >= 2.0. :pr:`1418`
- Mark top-level names as exported so type checking understands
imports in user projects. :issue:`1426`
- Fix some types that weren't available in Python 3.6.0. :issue:`1433`
- The deprecation warning for unneeded `autoescape` and `with_`
extensions shows more relevant context. :issue:`1429`
- Fixed calling deprecated `jinja2.Markup` without an argument.
Use `markupsafe.Markup` instead. :issue:`1438`
- Calling sync `render` for an async template uses `asyncio.new_event_loop`
This fixes a deprecation that Python 3.10 introduces. :issue:`1443`
### [`v3.0.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-300)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.11.3...3.0.0)
Released 2021-05-11
- Drop support for Python 2.7 and 3.5.
- Bump MarkupSafe dependency to >=1.1.
- Bump Babel optional dependency to >=2.1.
- Remove code that was marked deprecated.
- Add type hinting. :pr:`1412`
- Use :pep:`451` API to load templates with
:class:`~loaders.PackageLoader`. :issue:`1168`
- Fix a bug that caused imported macros to not have access to the
current template's globals. :issue:`688`
- Add ability to ignore `trim_blocks` using `+%}`. :issue:`1036`
- Fix a bug that caused custom async-only filters to fail with
constant input. :issue:`1279`
- Fix UndefinedError incorrectly being thrown on an undefined variable
instead of `Undefined` being returned on
`NativeEnvironment` on Python 3.10. :issue:`1335`
- Blocks can be marked as `required`. They must be overridden at
some point, but not necessarily by the direct child. :issue:`1147`
- Deprecate the `autoescape` and `with` extensions, they are
built-in to the compiler. :issue:`1203`
- The `urlize` filter recognizes `mailto:` links and takes
`extra_schemes` (or `env.policies["urlize.extra_schemes"]`) to
recognize other schemes. It tries to balance parentheses within a
URL instead of ignoring trailing characters. The parsing in general
has been updated to be more efficient and match more cases. URLs
without a scheme are linked as `https://` instead of `http://`.
:issue:`522, 827, 1172`, :pr:`1195`
- Filters that get attributes, such as `map` and `groupby`, can
use a false or empty value as a default. :issue:`1331`
- Fix a bug that prevented variables set in blocks or loops from
being accessed in custom context functions. :issue:`768`
- Fix a bug that caused scoped blocks from accessing special loop
variables. :issue:`1088`
- Update the template globals when calling
`Environment.get_template(globals=...)` even if the template was
already loaded. :issue:`295`
- Do not raise an error for undefined filters in unexecuted
if-statements and conditional expressions. :issue:`842`
- Add `is filter` and `is test` tests to test if a name is a
registered filter or test. This allows checking if a filter is
available in a template before using it. Test functions can be
decorated with `@pass_environment`, `@pass_eval_context`,
or `@pass_context`. :issue:`842`, :pr:`1248`
- Support `pgettext` and `npgettext` (message contexts) in i18n
extension. :issue:`441`
- The `|indent` filter's `width` argument can be a string to
indent by. :pr:`1167`
- The parser understands hex, octal, and binary integer literals.
:issue:`1170`
- `Undefined.__contains__` (`in`) raises an `UndefinedError`
instead of a `TypeError`. :issue:`1198`
- `Undefined` is iterable in an async environment. :issue:`1294`
- `NativeEnvironment` supports async mode. :issue:`1362`
- Template rendering only treats `\n`, `\r\n` and `\r` as line
breaks. Other characters are left unchanged. :issue:`769, 952, 1313`
- `|groupby` filter takes an optional `default` argument.
:issue:`1359`
- The function and filter decorators have been renamed and unified.
The old names are deprecated. :issue:`1381`
- `pass_context` replaces `contextfunction` and
`contextfilter`.
- `pass_eval_context` replaces `evalcontextfunction` and
`evalcontextfilter`
- `pass_environment` replaces `environmentfunction` and
`environmentfilter`.
- Async support no longer requires Jinja to patch itself. It must
still be enabled with `Environment(enable_async=True)`.
:issue:`1390`
- Overriding `Context.resolve` is deprecated, override
`resolve_or_missing` instead. :issue:`1380`
### [`v2.11.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2113)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.11.2...2.11.3)
Released 2021-01-31
- Improve the speed of the `urlize` filter by reducing regex
backtracking. Email matching requires a word character at the start
of the domain part, and only word characters in the TLD. :pr:`1343`
### [`v2.11.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2112)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.11.1...2.11.2)
Released 2020-04-13
- Fix a bug that caused callable objects with `__getattr__`, like
:class:`~unittest.mock.Mock` to be treated as a
:func:`contextfunction`. :issue:`1145`
- Update `wordcount` filter to trigger :class:`Undefined` methods
by wrapping the input in :func:`soft_str`. :pr:`1160`
- Fix a hang when displaying tracebacks on Python 32-bit.
:issue:`1162`
- Showing an undefined error for an object that raises
`AttributeError` on access doesn't cause a recursion error.
:issue:`1177`
- Revert changes to :class:`~loaders.PackageLoader` from 2.10 which
removed the dependency on setuptools and pkg_resources, and added
limited support for namespace packages. The changes caused issues
when using Pytest. Due to the difficulty in supporting Python 2 and
:pep:`451` simultaneously, the changes are reverted until 3.0.
:pr:`1182`
- Fix line numbers in error messages when newlines are stripped.
:pr:`1178`
- The special `namespace()` assignment object in templates works in
async environments. :issue:`1180`
- Fix whitespace being removed before tags in the middle of lines when
`lstrip_blocks` is enabled. :issue:`1138`
- :class:`~nativetypes.NativeEnvironment` doesn't evaluate
intermediate strings during rendering. This prevents early
evaluation which could change the value of an expression.
:issue:`1186`
### [`v2.11.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2111)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.11.0...2.11.1)
Released 2020-01-30
- Fix a bug that prevented looking up a key after an attribute
(`{{ data.items[1:] }}`) in an async template. :issue:`1141`
### [`v2.11.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2110)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.10.3...2.11.0)
Released 2020-01-27
- Drop support for Python 2.6, 3.3, and 3.4. This will be the last
version to support Python 2.7 and 3.5.
- Added a new `ChainableUndefined` class to support getitem and
getattr on an undefined object. :issue:`977`
- Allow `{%+` syntax (with NOP behavior) when `lstrip_blocks` is
disabled. :issue:`748`
- Added a `default` parameter for the `map` filter. :issue:`557`
- Exclude environment globals from
:func:`meta.find_undeclared_variables`. :issue:`931`
- Float literals can be written with scientific notation, like
2.56e-3. :issue:`912`, :pr:`922`
- Int and float literals can be written with the '\_' separator for
legibility, like 12\_345. :pr:`923`
- Fix a bug causing deadlocks in `LRUCache.setdefault`. :pr:`1000`
- The `trim` filter takes an optional string of characters to trim.
:pr:`828`
- A new `jinja2.ext.debug` extension adds a `{% debug %}` tag to
quickly dump the current context and available filters and tests.
:issue:`174`, :pr:`798, 983`
- Lexing templates with large amounts of whitespace is much faster.
:issue:`857`, :pr:`858`
- Parentheses around comparisons are preserved, so
`{{ 2 * (3 < 5) }}` outputs "2" instead of "False".
:issue:`755`, :pr:`938`
- Add new `boolean`, `false`, `true`, `integer` and `float`
tests. :pr:`824`
- The environment's `finalize` function is only applied to the
output of expressions (constant or not), not static template data.
:issue:`63`
- When providing multiple paths to `FileSystemLoader`, a template
can have the same name as a directory. :issue:`821`
- Always return :class:`Undefined` when omitting the `else` clause
in a `{{ 'foo' if bar }}` expression, regardless of the
environment's `undefined` class. Omitting the `else` clause is a
valid shortcut and should not raise an error when using
:class:`StrictUndefined`. :issue:`710`, :pr:`1079`
- Fix behavior of `loop` control variables such as `length` and
`revindex0` when looping over a generator. :issue:`459, 751, 794`,
:pr:`993`
- Async support is only loaded the first time an environment enables
it, in order to avoid a slow initial import. :issue:`765`
- In async environments, the `|map` filter will await the filter
call if needed. :pr:`913`
- In for loops that access `loop` attributes, the iterator is not
advanced ahead of the current iteration unless `length`,
`revindex`, `nextitem`, or `last` are accessed. This makes it
less likely to break `groupby` results. :issue:`555`, :pr:`1101`
- In async environments, the `loop` attributes `length` and
`revindex` work for async iterators. :pr:`1101`
- In async environments, values from attribute/property access will
be awaited if needed. :pr:`1101`
- :class:`~loader.PackageLoader` doesn't depend on setuptools or
pkg_resources. :issue:`970`
- `PackageLoader` has limited support for :pep:`420` namespace
packages. :issue:`1097`
- Support :class:`os.PathLike` objects in
:class:`~loader.FileSystemLoader` and :class:`~loader.ModuleLoader`.
:issue:`870`
- :class:`~nativetypes.NativeTemplate` correctly handles quotes
between expressions. `"'{{ a }}', '{{ b }}'"` renders as the tuple
`('1', '2')` rather than the string `'1, 2'`. :issue:`1020`
- Creating a :class:`~nativetypes.NativeTemplate` directly creates a
:class:`~nativetypes.NativeEnvironment` instead of a default
:class:`Environment`. :issue:`1091`
- After calling `LRUCache.copy()`, the copy's queue methods point to
the correct queue. :issue:`843`
- Compiling templates always writes UTF-8 instead of defaulting to the
system encoding. :issue:`889`
- `|wordwrap` filter treats existing newlines as separate paragraphs
to be wrapped individually, rather than creating short intermediate
lines. :issue:`175`
- Add `break_on_hyphens` parameter to `|wordwrap` filter.
:issue:`550`
- Cython compiled functions decorated as context functions will be
passed the context. :pr:`1108`
- When chained comparisons of constants are evaluated at compile time,
the result follows Python's behavior of returning `False` if any
comparison returns `False`, rather than only the last one.
:issue:`1102`
- Tracebacks for exceptions in templates show the correct line numbers
and source for Python >= 3.7. :issue:`1104`
- Tracebacks for template syntax errors in Python 3 no longer show
internal compiler frames. :issue:`763`
- Add a `DerivedContextReference` node that can be used by
extensions to get the current context and local variables such as
`loop`. :issue:`860`
- Constant folding during compilation is applied to some node types
that were previously overlooked. :issue:`733`
- `TemplateSyntaxError.source` is not empty when raised from an
included template. :issue:`457`
- Passing an `Undefined` value to `get_template` (such as through
`extends`, `import`, or `include`), raises an
`UndefinedError` consistently. `select_template` will show the
undefined message in the list of attempts rather than the empty
string. :issue:`1037`
- `TemplateSyntaxError` can be pickled. :pr:`1117`
### [`v2.10.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2103)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.10.2...2.10.3)
Released 2019-10-04
- Fix a typo in Babel entry point in `setup.py` that was preventing
installation.
### [`v2.10.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2102)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.10.1...2.10.2)
Released 2019-10-04
- Fix Python 3.7 deprecation warnings.
- Using `range` in the sandboxed environment uses `xrange` on
Python 2 to avoid memory use. :issue:`933`
- Use Python 3.7's better traceback support to avoid a core dump when
using debug builds of Python 3.7. :issue:`1050`
### [`v2.10.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2101)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.10...2.10.1)
Released 2019-04-06
- `SandboxedEnvironment` securely handles `str.format_map` in
order to prevent code execution through untrusted format strings.
The sandbox already handled `str.format`.
### [`v2.10`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2103)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.6...2.10)
Released 2019-10-04
- Fix a typo in Babel entry point in `setup.py` that was preventing
installation.
### [`v2.9.6`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-296)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.5...2.9.6)
Released 2017-04-03
- Fixed custom context behavior in fast resolve mode :issue:`675`
### [`v2.9.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-295)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.4...2.9.5)
Released 2017-01-28
- Restored the original repr of the internal `_GroupTuple` because
this caused issues with ansible and it was an unintended change.
:issue:`654`
- Added back support for custom contexts that override the old
`resolve` method since it was hard for people to spot that this
could cause a regression.
- Correctly use the buffer for the else block of for loops. This
caused invalid syntax errors to be caused on 2.x and completely
wrong behavior on Python 3 :issue:`669`
- Resolve an issue where the `{% extends %}` tag could not be used
with async environments. :issue:`668`
- Reduce memory footprint slightly by reducing our unicode database
dump we use for identifier matching on Python 3 :issue:`666`
- Fixed autoescaping not working for macros in async compilation mode.
:issue:`671`
### [`v2.9.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-294)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.3...2.9.4)
Released 2017-01-10
- Solved some warnings for string literals. :issue:`646`
- Increment the bytecode cache version which was not done due to an
oversight before.
- Corrected bad code generation and scoping for filtered loops.
:issue:`649`
- Resolved an issue where top-level output silencing after known
extend blocks could generate invalid code when blocks where
contained in if statements. :issue:`651`
- Made the `truncate.leeway` default configurable to improve
compatibility with older templates.
### [`v2.9.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-293)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.2...2.9.3)
Released 2017-01-08
- Restored the use of blocks in macros to the extend that was possible
before. On Python 3 it would render a generator repr instead of the
block contents. :issue:`645`
- Set a consistent behavior for assigning of variables in inner scopes
when the variable is also read from an outer scope. This now sets
the intended behavior in all situations however it does not restore
the old behavior where limited assignments to outer scopes was
possible. For more information and a discussion see :issue:`641`
- Resolved an issue where `block scoped` would not take advantage of
the new scoping rules. In some more exotic cases a variable
overridden in a local scope would not make it into a block.
- Change the code generation of the `with` statement to be in line
with the new scoping rules. This resolves some unlikely bugs in edge
cases. This also introduces a new internal `With` node that can be
used by extensions.
### [`v2.9.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-292)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9.1...2.9.2)
Released 2017-01-08
- Fixed a regression that caused for loops to not be able to use the
same variable for the target as well as source iterator.
:issue:`640`
- Add support for a previously unknown behavior of macros. It used to
be possible in some circumstances to explicitly provide a caller
argument to macros. While badly buggy and unintended it turns out
that this is a common case that gets copy pasted around. To not
completely break backwards compatibility with the most common cases
it's now possible to provide an explicit keyword argument for caller
if it's given an explicit default. :issue:`642`
### [`v2.9.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-291)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.9...2.9.1)
Released 2017-01-07
- Resolved a regression with call block scoping for macros. Nested
caller blocks that used the same identifiers as outer macros could
refer to the wrong variable incorrectly.
### [`v2.9`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-296)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.8.1...2.9)
Released 2017-04-03
- Fixed custom context behavior in fast resolve mode :issue:`675`
### [`v2.8.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-281)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.8...2.8.1)
Released 2016-12-29
- Fixed the `for_qs` flag for `urlencode`.
- Fixed regression when applying `int` to non-string values.
- SECURITY: if the sandbox mode is used format expressions are now
sandboxed with the same rules as in Jinja. This solves various
information leakage problems that can occur with format strings.
### [`v2.8`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-281)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.7.3...2.8)
Released 2016-12-29
- Fixed the `for_qs` flag for `urlencode`.
- Fixed regression when applying `int` to non-string values.
- SECURITY: if the sandbox mode is used format expressions are now
sandboxed with the same rules as in Jinja. This solves various
information leakage problems that can occur with format strings.
### [`v2.7.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-273)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.7.2...2.7.3)
Released 2014-06-06
- Security issue: Corrected the security fix for the cache folder.
This fix was provided by RedHat.
### [`v2.7.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-272)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.7.1...2.7.2)
Released 2014-01-10
- Prefix loader was not forwarding the locals properly to inner
loaders. This is now fixed.
- Security issue: Changed the default folder for the filesystem cache
to be user specific and read and write protected on UNIX systems.
See `Debian bug 734747`\_ for more information.
.. \_Debian bug 734747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
### [`v2.7.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-271)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.7...2.7.1)
Released 2013-08-07
- Fixed a bug with `call_filter` not working properly on environment
and context filters.
- Fixed lack of Python 3 support for bytecode caches.
- Reverted support for defining blocks in included templates as this
broke existing templates for users.
- Fixed some warnings with hashing of undefineds and nodes if Python
is run with warnings for Python 3.
- Added support for properly hashing undefined objects.
- Fixed a bug with the title filter not working on already uppercase
strings.
### [`v2.7`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-273)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.6...2.7)
Released 2014-06-06
- Security issue: Corrected the security fix for the cache folder.
This fix was provided by RedHat.
### [`v2.6`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-26)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.5.5...2.6)
Released 2011-07-24, codename Convolution
- Internal attributes now raise an internal attribute error now
instead of returning an undefined. This fixes problems when passing
undefined objects to Python semantics expecting APIs.
- Traceback support now works properly for PyPy. (Tested with 1.4)
- Implemented operator intercepting for sandboxed environments. This
allows application developers to disable builtin operators for
better security. (For instance limit the mathematical operators to
actual integers instead of longs)
- Groupby filter now supports dotted notation for grouping by
attributes of attributes.
- Scoped blocks now properly treat toplevel assignments and imports.
Previously an import suddenly "disappeared" in a scoped block.
- Automatically detect newer Python interpreter versions before
loading code from bytecode caches to prevent segfaults on invalid
opcodes. The segfault in earlier Jinja versions here was not a
Jinja bug but a limitation in the underlying Python interpreter. If
you notice Jinja segfaulting in earlier versions after an upgrade
of the Python interpreter you don't have to upgrade, it's enough to
flush the bytecode cache. This just no longer makes this necessary,
Jinja will automatically detect these cases now.
- The sum filter can now sum up values by attribute. This is a
backwards incompatible change. The argument to the filter previously
was the optional starting index which defaults to zero. This now
became the second argument to the function because it's rarely used.
- Like sum, sort now also makes it possible to order items by
attribute.
- Like sum and sort, join now also is able to join attributes of
objects as string.
- The internal eval context now has a reference to the environment.
- Added a mapping test to see if an object is a dict or an object with
a similar interface.
### [`v2.5.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-255)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.5.4...2.5.5)
Released 2010-10-18
- Built documentation is no longer part of release.
### [`v2.5.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-254)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.5.3...2.5.4)
Released 2010-10-17
- Fixed extensions not loading properly with overlays.
- Work around a bug in cpython for the debugger that causes segfaults
on 64bit big-endian architectures.
### [`v2.5.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-253)
Released 2010-10-17
- Fixed an operator precedence error introduced in 2.5.2. Statements
like "-foo.bar" had their implicit parentheses applied around the
first part of the expression ("(-foo).bar") instead of the more
correct "-(foo.bar)".
### [`v2.5.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-252)
Released 2010-08-18
- Improved setup.py script to better work with assumptions people
might still have from it (`--with-speedups`).
- Fixed a packaging error that excluded the new debug support.
### [`v2.5.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-251)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.5...2.5.1)
Released 2010-08-17
- StopIteration exceptions raised by functions called from templates
are now intercepted and converted to undefineds. This solves a lot
of debugging grief. (StopIteration is used internally to abort
template execution)
- Improved performance of macro calls slightly.
- Babel extraction can now properly extract newstyle gettext calls.
- Using the variable `num` in newstyle gettext for something else
than the pluralize count will no longer raise a :exc:`KeyError`.
- Removed builtin markup class and switched to markupsafe. For
backwards compatibility the pure Python implementation still exists
but is pulled from markupsafe by the Jinja developers. The debug
support went into a separate feature called "debugsupport" and is
disabled by default because it is only relevant for Python 2.4
- Fixed an issue with unary operators having the wrong precedence.
### [`v2.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-255)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.4.1...2.5)
Released 2010-10-18
- Built documentation is no longer part of release.
### [`v2.4.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-241)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.4...2.4.1)
Released 2010-04-20
- Fixed an error reporting bug for undefined.
### [`v2.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-241)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.3.1...2.4)
Released 2010-04-20
- Fixed an error reporting bug for undefined.
### [`v2.3.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-231)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.3...2.3.1)
Released 2010-02-19
- Fixed an error reporting bug on all python versions
- Fixed an error reporting bug on Python 2.4
### [`v2.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-231)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.2.1...2.3)
Released 2010-02-19
- Fixed an error reporting bug on all python versions
- Fixed an error reporting bug on Python 2.4
### [`v2.2.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-221)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.2...2.2.1)
Released 2009-09-14
- Fixes some smaller problems for Jinja on Jython.
### [`v2.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-221)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.1.1...2.2)
Released 2009-09-14
- Fixes some smaller problems for Jinja on Jython.
### [`v2.1.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-211)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.1...2.1.1)
Released 2008-12-25
- Fixed a translation error caused by looping over empty recursive
loops.
### [`v2.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2113)
[Compare Source](https://togithub.com/pallets/jinja/compare/2.0...2.1)
Released 2021-01-31
- Improve the speed of the `urlize` filter by reducing regex
backtracking. Email matching requires a word character at the start
of the domain part, and only word characters in the TLD. :pr:`1343`
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
<=3.1.2-><=3.1.4GitHub Vulnerability Alerts
CVE-2024-34064
The
xmlattrfilter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces,/,>, or=, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.Accepting keys as user input is now explicitly considered an unintended use case of the
xmlattrfilter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.Release Notes
pallets/jinja (Jinja2)
### [`v3.1.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-314) [Compare Source](https://togithub.com/pallets/jinja/compare/3.1.3...3.1.4) Released 2024-05-05 - The `xmlattr` filter does not allow keys with `/` solidus, `>` greater-than sign, or `=` equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. :ghsa:`h75v-3vvj-5mfj` ### [`v3.1.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-313) [Compare Source](https://togithub.com/pallets/jinja/compare/3.1.2...3.1.3) Released 2024-01-10 - Fix compiler error when checking if required blocks in parent templates are empty. :pr:`1858` - `xmlattr` filter does not allow keys with spaces. :ghsa:`h5c8-rqwp-cp95` - Make error messages stemming from invalid nesting of `{% trans %}` blocks more helpful. :pr:`1918` ### [`v3.1.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-312) [Compare Source](https://togithub.com/pallets/jinja/compare/3.1.1...3.1.2) Released 2022-04-28 - Add parameters to `Environment.overlay` to match `__init__`. :issue:`1645` - Handle race condition in `FileSystemBytecodeCache`. :issue:`1654` ### [`v3.1.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-311) [Compare Source](https://togithub.com/pallets/jinja/compare/3.1.0...3.1.1) Released 2022-03-25 - The template filename on Windows uses the primary path separator. :issue:`1637` ### [`v3.1.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-310) [Compare Source](https://togithub.com/pallets/jinja/compare/3.0.3...3.1.0) Released 2022-03-24 - Drop support for Python 3.6. :pr:`1534` - Remove previously deprecated code. :pr:`1544` - `WithExtension` and `AutoEscapeExtension` are built-in now. - `contextfilter` and `contextfunction` are replaced by `pass_context`. `evalcontextfilter` and `evalcontextfunction` are replaced by `pass_eval_context`. `environmentfilter` and `environmentfunction` are replaced by `pass_environment`. - `Markup` and `escape` should be imported from MarkupSafe. - Compiled templates from very old Jinja versions may need to be recompiled. - Legacy resolve mode for `Context` subclasses is no longer supported. Override `resolve_or_missing` instead of `resolve`. - `unicode_urlencode` is renamed to `url_quote`. - Add support for native types in macros. :issue:`1510` - The `{% trans %}` tag can use `pgettext` and `npgettext` by passing a context string as the first token in the tag, like `{% trans "title" %}`. :issue:`1430` - Update valid identifier characters from Python 3.6 to 3.7. :pr:`1571` - Filters and tests decorated with `@async_variant` are pickleable. :pr:`1612` - Add `items` filter. :issue:`1561` - Subscriptions (`[0]`, etc.) can be used after filters, tests, and calls when the environment is in async mode. :issue:`1573` - The `groupby` filter is case-insensitive by default, matching other comparison filters. Added the `case_sensitive` parameter to control this. :issue:`1463` - Windows drive-relative path segments in template names will not result in `FileSystemLoader` and `PackageLoader` loading from drive-relative paths. :pr:`1621` ### [`v3.0.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-303) [Compare Source](https://togithub.com/pallets/jinja/compare/3.0.2...3.0.3) Released 2021-11-09 - Fix traceback rewriting internals for Python 3.10 and 3.11. :issue:`1535` - Fix how the native environment treats leading and trailing spaces when parsing values on Python 3.10. :pr:`1537` - Improve async performance by avoiding checks for common types. :issue:`1514` - Revert change to `hash(Node)` behavior. Nodes are hashed by id again :issue:`1521` - `PackageLoader` works when the package is a single module file. :issue:`1512` ### [`v3.0.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-302) [Compare Source](https://togithub.com/pallets/jinja/compare/3.0.1...3.0.2) Released 2021-10-04 - Fix a loop scoping bug that caused assignments in nested loops to still be referenced outside of it. :issue:`1427` - Make `compile_templates` deterministic for filter and import names. :issue:`1452, 1453` - Revert an unintended change that caused `Undefined` to act like `StrictUndefined` for the `in` operator. :issue:`1448` - Imported macros have access to the current template globals in async environments. :issue:`1494` - `PackageLoader` will not include a current directory (.) path segment. This allows loading templates from the root of a zip import. :issue:`1467` ### [`v3.0.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-301) [Compare Source](https://togithub.com/pallets/jinja/compare/3.0.0...3.0.1) Released 2021-05-18 - Update MarkupSafe dependency to >= 2.0. :pr:`1418` - Mark top-level names as exported so type checking understands imports in user projects. :issue:`1426` - Fix some types that weren't available in Python 3.6.0. :issue:`1433` - The deprecation warning for unneeded `autoescape` and `with_` extensions shows more relevant context. :issue:`1429` - Fixed calling deprecated `jinja2.Markup` without an argument. Use `markupsafe.Markup` instead. :issue:`1438` - Calling sync `render` for an async template uses `asyncio.new_event_loop` This fixes a deprecation that Python 3.10 introduces. :issue:`1443` ### [`v3.0.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-300) [Compare Source](https://togithub.com/pallets/jinja/compare/2.11.3...3.0.0) Released 2021-05-11 - Drop support for Python 2.7 and 3.5. - Bump MarkupSafe dependency to >=1.1. - Bump Babel optional dependency to >=2.1. - Remove code that was marked deprecated. - Add type hinting. :pr:`1412` - Use :pep:`451` API to load templates with :class:`~loaders.PackageLoader`. :issue:`1168` - Fix a bug that caused imported macros to not have access to the current template's globals. :issue:`688` - Add ability to ignore `trim_blocks` using `+%}`. :issue:`1036` - Fix a bug that caused custom async-only filters to fail with constant input. :issue:`1279` - Fix UndefinedError incorrectly being thrown on an undefined variable instead of `Undefined` being returned on `NativeEnvironment` on Python 3.10. :issue:`1335` - Blocks can be marked as `required`. They must be overridden at some point, but not necessarily by the direct child. :issue:`1147` - Deprecate the `autoescape` and `with` extensions, they are built-in to the compiler. :issue:`1203` - The `urlize` filter recognizes `mailto:` links and takes `extra_schemes` (or `env.policies["urlize.extra_schemes"]`) to recognize other schemes. It tries to balance parentheses within a URL instead of ignoring trailing characters. The parsing in general has been updated to be more efficient and match more cases. URLs without a scheme are linked as `https://` instead of `http://`. :issue:`522, 827, 1172`, :pr:`1195` - Filters that get attributes, such as `map` and `groupby`, can use a false or empty value as a default. :issue:`1331` - Fix a bug that prevented variables set in blocks or loops from being accessed in custom context functions. :issue:`768` - Fix a bug that caused scoped blocks from accessing special loop variables. :issue:`1088` - Update the template globals when calling `Environment.get_template(globals=...)` even if the template was already loaded. :issue:`295` - Do not raise an error for undefined filters in unexecuted if-statements and conditional expressions. :issue:`842` - Add `is filter` and `is test` tests to test if a name is a registered filter or test. This allows checking if a filter is available in a template before using it. Test functions can be decorated with `@pass_environment`, `@pass_eval_context`, or `@pass_context`. :issue:`842`, :pr:`1248` - Support `pgettext` and `npgettext` (message contexts) in i18n extension. :issue:`441` - The `|indent` filter's `width` argument can be a string to indent by. :pr:`1167` - The parser understands hex, octal, and binary integer literals. :issue:`1170` - `Undefined.__contains__` (`in`) raises an `UndefinedError` instead of a `TypeError`. :issue:`1198` - `Undefined` is iterable in an async environment. :issue:`1294` - `NativeEnvironment` supports async mode. :issue:`1362` - Template rendering only treats `\n`, `\r\n` and `\r` as line breaks. Other characters are left unchanged. :issue:`769, 952, 1313` - `|groupby` filter takes an optional `default` argument. :issue:`1359` - The function and filter decorators have been renamed and unified. The old names are deprecated. :issue:`1381` - `pass_context` replaces `contextfunction` and `contextfilter`. - `pass_eval_context` replaces `evalcontextfunction` and `evalcontextfilter` - `pass_environment` replaces `environmentfunction` and `environmentfilter`. - Async support no longer requires Jinja to patch itself. It must still be enabled with `Environment(enable_async=True)`. :issue:`1390` - Overriding `Context.resolve` is deprecated, override `resolve_or_missing` instead. :issue:`1380` ### [`v2.11.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2113) [Compare Source](https://togithub.com/pallets/jinja/compare/2.11.2...2.11.3) Released 2021-01-31 - Improve the speed of the `urlize` filter by reducing regex backtracking. Email matching requires a word character at the start of the domain part, and only word characters in the TLD. :pr:`1343` ### [`v2.11.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2112) [Compare Source](https://togithub.com/pallets/jinja/compare/2.11.1...2.11.2) Released 2020-04-13 - Fix a bug that caused callable objects with `__getattr__`, like :class:`~unittest.mock.Mock` to be treated as a :func:`contextfunction`. :issue:`1145` - Update `wordcount` filter to trigger :class:`Undefined` methods by wrapping the input in :func:`soft_str`. :pr:`1160` - Fix a hang when displaying tracebacks on Python 32-bit. :issue:`1162` - Showing an undefined error for an object that raises `AttributeError` on access doesn't cause a recursion error. :issue:`1177` - Revert changes to :class:`~loaders.PackageLoader` from 2.10 which removed the dependency on setuptools and pkg_resources, and added limited support for namespace packages. The changes caused issues when using Pytest. Due to the difficulty in supporting Python 2 and :pep:`451` simultaneously, the changes are reverted until 3.0. :pr:`1182` - Fix line numbers in error messages when newlines are stripped. :pr:`1178` - The special `namespace()` assignment object in templates works in async environments. :issue:`1180` - Fix whitespace being removed before tags in the middle of lines when `lstrip_blocks` is enabled. :issue:`1138` - :class:`~nativetypes.NativeEnvironment` doesn't evaluate intermediate strings during rendering. This prevents early evaluation which could change the value of an expression. :issue:`1186` ### [`v2.11.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2111) [Compare Source](https://togithub.com/pallets/jinja/compare/2.11.0...2.11.1) Released 2020-01-30 - Fix a bug that prevented looking up a key after an attribute (`{{ data.items[1:] }}`) in an async template. :issue:`1141` ### [`v2.11.0`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2110) [Compare Source](https://togithub.com/pallets/jinja/compare/2.10.3...2.11.0) Released 2020-01-27 - Drop support for Python 2.6, 3.3, and 3.4. This will be the last version to support Python 2.7 and 3.5. - Added a new `ChainableUndefined` class to support getitem and getattr on an undefined object. :issue:`977` - Allow `{%+` syntax (with NOP behavior) when `lstrip_blocks` is disabled. :issue:`748` - Added a `default` parameter for the `map` filter. :issue:`557` - Exclude environment globals from :func:`meta.find_undeclared_variables`. :issue:`931` - Float literals can be written with scientific notation, like 2.56e-3. :issue:`912`, :pr:`922` - Int and float literals can be written with the '\_' separator for legibility, like 12\_345. :pr:`923` - Fix a bug causing deadlocks in `LRUCache.setdefault`. :pr:`1000` - The `trim` filter takes an optional string of characters to trim. :pr:`828` - A new `jinja2.ext.debug` extension adds a `{% debug %}` tag to quickly dump the current context and available filters and tests. :issue:`174`, :pr:`798, 983` - Lexing templates with large amounts of whitespace is much faster. :issue:`857`, :pr:`858` - Parentheses around comparisons are preserved, so `{{ 2 * (3 < 5) }}` outputs "2" instead of "False". :issue:`755`, :pr:`938` - Add new `boolean`, `false`, `true`, `integer` and `float` tests. :pr:`824` - The environment's `finalize` function is only applied to the output of expressions (constant or not), not static template data. :issue:`63` - When providing multiple paths to `FileSystemLoader`, a template can have the same name as a directory. :issue:`821` - Always return :class:`Undefined` when omitting the `else` clause in a `{{ 'foo' if bar }}` expression, regardless of the environment's `undefined` class. Omitting the `else` clause is a valid shortcut and should not raise an error when using :class:`StrictUndefined`. :issue:`710`, :pr:`1079` - Fix behavior of `loop` control variables such as `length` and `revindex0` when looping over a generator. :issue:`459, 751, 794`, :pr:`993` - Async support is only loaded the first time an environment enables it, in order to avoid a slow initial import. :issue:`765` - In async environments, the `|map` filter will await the filter call if needed. :pr:`913` - In for loops that access `loop` attributes, the iterator is not advanced ahead of the current iteration unless `length`, `revindex`, `nextitem`, or `last` are accessed. This makes it less likely to break `groupby` results. :issue:`555`, :pr:`1101` - In async environments, the `loop` attributes `length` and `revindex` work for async iterators. :pr:`1101` - In async environments, values from attribute/property access will be awaited if needed. :pr:`1101` - :class:`~loader.PackageLoader` doesn't depend on setuptools or pkg_resources. :issue:`970` - `PackageLoader` has limited support for :pep:`420` namespace packages. :issue:`1097` - Support :class:`os.PathLike` objects in :class:`~loader.FileSystemLoader` and :class:`~loader.ModuleLoader`. :issue:`870` - :class:`~nativetypes.NativeTemplate` correctly handles quotes between expressions. `"'{{ a }}', '{{ b }}'"` renders as the tuple `('1', '2')` rather than the string `'1, 2'`. :issue:`1020` - Creating a :class:`~nativetypes.NativeTemplate` directly creates a :class:`~nativetypes.NativeEnvironment` instead of a default :class:`Environment`. :issue:`1091` - After calling `LRUCache.copy()`, the copy's queue methods point to the correct queue. :issue:`843` - Compiling templates always writes UTF-8 instead of defaulting to the system encoding. :issue:`889` - `|wordwrap` filter treats existing newlines as separate paragraphs to be wrapped individually, rather than creating short intermediate lines. :issue:`175` - Add `break_on_hyphens` parameter to `|wordwrap` filter. :issue:`550` - Cython compiled functions decorated as context functions will be passed the context. :pr:`1108` - When chained comparisons of constants are evaluated at compile time, the result follows Python's behavior of returning `False` if any comparison returns `False`, rather than only the last one. :issue:`1102` - Tracebacks for exceptions in templates show the correct line numbers and source for Python >= 3.7. :issue:`1104` - Tracebacks for template syntax errors in Python 3 no longer show internal compiler frames. :issue:`763` - Add a `DerivedContextReference` node that can be used by extensions to get the current context and local variables such as `loop`. :issue:`860` - Constant folding during compilation is applied to some node types that were previously overlooked. :issue:`733` - `TemplateSyntaxError.source` is not empty when raised from an included template. :issue:`457` - Passing an `Undefined` value to `get_template` (such as through `extends`, `import`, or `include`), raises an `UndefinedError` consistently. `select_template` will show the undefined message in the list of attempts rather than the empty string. :issue:`1037` - `TemplateSyntaxError` can be pickled. :pr:`1117` ### [`v2.10.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2103) [Compare Source](https://togithub.com/pallets/jinja/compare/2.10.2...2.10.3) Released 2019-10-04 - Fix a typo in Babel entry point in `setup.py` that was preventing installation. ### [`v2.10.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2102) [Compare Source](https://togithub.com/pallets/jinja/compare/2.10.1...2.10.2) Released 2019-10-04 - Fix Python 3.7 deprecation warnings. - Using `range` in the sandboxed environment uses `xrange` on Python 2 to avoid memory use. :issue:`933` - Use Python 3.7's better traceback support to avoid a core dump when using debug builds of Python 3.7. :issue:`1050` ### [`v2.10.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2101) [Compare Source](https://togithub.com/pallets/jinja/compare/2.10...2.10.1) Released 2019-04-06 - `SandboxedEnvironment` securely handles `str.format_map` in order to prevent code execution through untrusted format strings. The sandbox already handled `str.format`. ### [`v2.10`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2103) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.6...2.10) Released 2019-10-04 - Fix a typo in Babel entry point in `setup.py` that was preventing installation. ### [`v2.9.6`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-296) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.5...2.9.6) Released 2017-04-03 - Fixed custom context behavior in fast resolve mode :issue:`675` ### [`v2.9.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-295) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.4...2.9.5) Released 2017-01-28 - Restored the original repr of the internal `_GroupTuple` because this caused issues with ansible and it was an unintended change. :issue:`654` - Added back support for custom contexts that override the old `resolve` method since it was hard for people to spot that this could cause a regression. - Correctly use the buffer for the else block of for loops. This caused invalid syntax errors to be caused on 2.x and completely wrong behavior on Python 3 :issue:`669` - Resolve an issue where the `{% extends %}` tag could not be used with async environments. :issue:`668` - Reduce memory footprint slightly by reducing our unicode database dump we use for identifier matching on Python 3 :issue:`666` - Fixed autoescaping not working for macros in async compilation mode. :issue:`671` ### [`v2.9.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-294) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.3...2.9.4) Released 2017-01-10 - Solved some warnings for string literals. :issue:`646` - Increment the bytecode cache version which was not done due to an oversight before. - Corrected bad code generation and scoping for filtered loops. :issue:`649` - Resolved an issue where top-level output silencing after known extend blocks could generate invalid code when blocks where contained in if statements. :issue:`651` - Made the `truncate.leeway` default configurable to improve compatibility with older templates. ### [`v2.9.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-293) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.2...2.9.3) Released 2017-01-08 - Restored the use of blocks in macros to the extend that was possible before. On Python 3 it would render a generator repr instead of the block contents. :issue:`645` - Set a consistent behavior for assigning of variables in inner scopes when the variable is also read from an outer scope. This now sets the intended behavior in all situations however it does not restore the old behavior where limited assignments to outer scopes was possible. For more information and a discussion see :issue:`641` - Resolved an issue where `block scoped` would not take advantage of the new scoping rules. In some more exotic cases a variable overridden in a local scope would not make it into a block. - Change the code generation of the `with` statement to be in line with the new scoping rules. This resolves some unlikely bugs in edge cases. This also introduces a new internal `With` node that can be used by extensions. ### [`v2.9.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-292) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9.1...2.9.2) Released 2017-01-08 - Fixed a regression that caused for loops to not be able to use the same variable for the target as well as source iterator. :issue:`640` - Add support for a previously unknown behavior of macros. It used to be possible in some circumstances to explicitly provide a caller argument to macros. While badly buggy and unintended it turns out that this is a common case that gets copy pasted around. To not completely break backwards compatibility with the most common cases it's now possible to provide an explicit keyword argument for caller if it's given an explicit default. :issue:`642` ### [`v2.9.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-291) [Compare Source](https://togithub.com/pallets/jinja/compare/2.9...2.9.1) Released 2017-01-07 - Resolved a regression with call block scoping for macros. Nested caller blocks that used the same identifiers as outer macros could refer to the wrong variable incorrectly. ### [`v2.9`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-296) [Compare Source](https://togithub.com/pallets/jinja/compare/2.8.1...2.9) Released 2017-04-03 - Fixed custom context behavior in fast resolve mode :issue:`675` ### [`v2.8.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-281) [Compare Source](https://togithub.com/pallets/jinja/compare/2.8...2.8.1) Released 2016-12-29 - Fixed the `for_qs` flag for `urlencode`. - Fixed regression when applying `int` to non-string values. - SECURITY: if the sandbox mode is used format expressions are now sandboxed with the same rules as in Jinja. This solves various information leakage problems that can occur with format strings. ### [`v2.8`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-281) [Compare Source](https://togithub.com/pallets/jinja/compare/2.7.3...2.8) Released 2016-12-29 - Fixed the `for_qs` flag for `urlencode`. - Fixed regression when applying `int` to non-string values. - SECURITY: if the sandbox mode is used format expressions are now sandboxed with the same rules as in Jinja. This solves various information leakage problems that can occur with format strings. ### [`v2.7.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-273) [Compare Source](https://togithub.com/pallets/jinja/compare/2.7.2...2.7.3) Released 2014-06-06 - Security issue: Corrected the security fix for the cache folder. This fix was provided by RedHat. ### [`v2.7.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-272) [Compare Source](https://togithub.com/pallets/jinja/compare/2.7.1...2.7.2) Released 2014-01-10 - Prefix loader was not forwarding the locals properly to inner loaders. This is now fixed. - Security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems. See `Debian bug 734747`\_ for more information. .. \_Debian bug 734747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 ### [`v2.7.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-271) [Compare Source](https://togithub.com/pallets/jinja/compare/2.7...2.7.1) Released 2013-08-07 - Fixed a bug with `call_filter` not working properly on environment and context filters. - Fixed lack of Python 3 support for bytecode caches. - Reverted support for defining blocks in included templates as this broke existing templates for users. - Fixed some warnings with hashing of undefineds and nodes if Python is run with warnings for Python 3. - Added support for properly hashing undefined objects. - Fixed a bug with the title filter not working on already uppercase strings. ### [`v2.7`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-273) [Compare Source](https://togithub.com/pallets/jinja/compare/2.6...2.7) Released 2014-06-06 - Security issue: Corrected the security fix for the cache folder. This fix was provided by RedHat. ### [`v2.6`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-26) [Compare Source](https://togithub.com/pallets/jinja/compare/2.5.5...2.6) Released 2011-07-24, codename Convolution - Internal attributes now raise an internal attribute error now instead of returning an undefined. This fixes problems when passing undefined objects to Python semantics expecting APIs. - Traceback support now works properly for PyPy. (Tested with 1.4) - Implemented operator intercepting for sandboxed environments. This allows application developers to disable builtin operators for better security. (For instance limit the mathematical operators to actual integers instead of longs) - Groupby filter now supports dotted notation for grouping by attributes of attributes. - Scoped blocks now properly treat toplevel assignments and imports. Previously an import suddenly "disappeared" in a scoped block. - Automatically detect newer Python interpreter versions before loading code from bytecode caches to prevent segfaults on invalid opcodes. The segfault in earlier Jinja versions here was not a Jinja bug but a limitation in the underlying Python interpreter. If you notice Jinja segfaulting in earlier versions after an upgrade of the Python interpreter you don't have to upgrade, it's enough to flush the bytecode cache. This just no longer makes this necessary, Jinja will automatically detect these cases now. - The sum filter can now sum up values by attribute. This is a backwards incompatible change. The argument to the filter previously was the optional starting index which defaults to zero. This now became the second argument to the function because it's rarely used. - Like sum, sort now also makes it possible to order items by attribute. - Like sum and sort, join now also is able to join attributes of objects as string. - The internal eval context now has a reference to the environment. - Added a mapping test to see if an object is a dict or an object with a similar interface. ### [`v2.5.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-255) [Compare Source](https://togithub.com/pallets/jinja/compare/2.5.4...2.5.5) Released 2010-10-18 - Built documentation is no longer part of release. ### [`v2.5.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-254) [Compare Source](https://togithub.com/pallets/jinja/compare/2.5.3...2.5.4) Released 2010-10-17 - Fixed extensions not loading properly with overlays. - Work around a bug in cpython for the debugger that causes segfaults on 64bit big-endian architectures. ### [`v2.5.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-253) Released 2010-10-17 - Fixed an operator precedence error introduced in 2.5.2. Statements like "-foo.bar" had their implicit parentheses applied around the first part of the expression ("(-foo).bar") instead of the more correct "-(foo.bar)". ### [`v2.5.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-252) Released 2010-08-18 - Improved setup.py script to better work with assumptions people might still have from it (`--with-speedups`). - Fixed a packaging error that excluded the new debug support. ### [`v2.5.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-251) [Compare Source](https://togithub.com/pallets/jinja/compare/2.5...2.5.1) Released 2010-08-17 - StopIteration exceptions raised by functions called from templates are now intercepted and converted to undefineds. This solves a lot of debugging grief. (StopIteration is used internally to abort template execution) - Improved performance of macro calls slightly. - Babel extraction can now properly extract newstyle gettext calls. - Using the variable `num` in newstyle gettext for something else than the pluralize count will no longer raise a :exc:`KeyError`. - Removed builtin markup class and switched to markupsafe. For backwards compatibility the pure Python implementation still exists but is pulled from markupsafe by the Jinja developers. The debug support went into a separate feature called "debugsupport" and is disabled by default because it is only relevant for Python 2.4 - Fixed an issue with unary operators having the wrong precedence. ### [`v2.5`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-255) [Compare Source](https://togithub.com/pallets/jinja/compare/2.4.1...2.5) Released 2010-10-18 - Built documentation is no longer part of release. ### [`v2.4.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-241) [Compare Source](https://togithub.com/pallets/jinja/compare/2.4...2.4.1) Released 2010-04-20 - Fixed an error reporting bug for undefined. ### [`v2.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-241) [Compare Source](https://togithub.com/pallets/jinja/compare/2.3.1...2.4) Released 2010-04-20 - Fixed an error reporting bug for undefined. ### [`v2.3.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-231) [Compare Source](https://togithub.com/pallets/jinja/compare/2.3...2.3.1) Released 2010-02-19 - Fixed an error reporting bug on all python versions - Fixed an error reporting bug on Python 2.4 ### [`v2.3`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-231) [Compare Source](https://togithub.com/pallets/jinja/compare/2.2.1...2.3) Released 2010-02-19 - Fixed an error reporting bug on all python versions - Fixed an error reporting bug on Python 2.4 ### [`v2.2.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-221) [Compare Source](https://togithub.com/pallets/jinja/compare/2.2...2.2.1) Released 2009-09-14 - Fixes some smaller problems for Jinja on Jython. ### [`v2.2`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-221) [Compare Source](https://togithub.com/pallets/jinja/compare/2.1.1...2.2) Released 2009-09-14 - Fixes some smaller problems for Jinja on Jython. ### [`v2.1.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-211) [Compare Source](https://togithub.com/pallets/jinja/compare/2.1...2.1.1) Released 2008-12-25 - Fixed a translation error caused by looping over empty recursive loops. ### [`v2.1`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-2113) [Compare Source](https://togithub.com/pallets/jinja/compare/2.0...2.1) Released 2021-01-31 - Improve the speed of the `urlize` filter by reducing regex backtracking. Email matching requires a word character at the start of the domain part, and only word characters in the TLD. :pr:`1343`Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.