search

mitsuhiko / minijinja

MiniJinja is a powerful but minimal dependency template engine for Rust compatible with Jinja/Jinja2
https://docs.rs/minijinja/
Apache License 2.0
1.67k stars 101 forks source link

filter `indent` escapes HTML to `<` and `>` #332

Open jameskr97 opened 1 year ago

jameskr97 commented 1 year ago

Description

When I put HTML inside an indent filter, the HTML is escaped and becomes <, >, ", etc.

Reproduction steps

Here is a sample code that shows the issue.

use minijinja::{Environment};

#[tokio::main]
async fn main() {
    let mut env = Environment::new();
    env.add_template("example.html","
<p>this is outside the filter</p>
{%- filter indent(4) %}
   <p>this is inside</p>
{%- endfilter -%}
    ").unwrap();

    let example = env.get_template("example.html").unwrap();
    println!("{}", example.render(()).unwrap());
}

Here is the output I get from cargo run

Finished dev [unoptimized + debuginfo] target(s) in 0.17s
 Running `target\debug\test_app.exe`

<p>this is outside the filter</p>
       &lt;p&gt;this is inside&lt;&#x2f;p&gt;

Additional helpful information:

I only noticed this issue when the file ended in .html. When I tried to add the extension .jinja or .j2 this issue did not occur. I originally saw this happening when I had a base.html and index.html which extended from the base, where everything inside the {% block content %} rendered with escaped HTML. I simplified it down to the example shown above.

What did you expect

As a practice project, I'm rewriting one of my python flask apps to have a Rust backend. I expected the HTML to render as HTML without the &lt;, &gt;, similar to how it worked when I used Python.

mitsuhiko commented 1 year ago

The string filters currently are not escaping aware. For now you need to explicitly mark them as safe:

{%- filter indent(4)|safe %}
   <p>this is inside</p>
{%- endfilter -%}