There are two reasonable approaches you could take.
Solution 1
As you are combining unsafe input with HTML into a single variable flask.Markup
is actually quite a handy way to do this. Basic idea is to split your text on the newline characters, make sure you HTML escape each of the lines which you do not trust, then glue them back together joined by <br />
tags which you do trust.
Here's the complete app to demonstrate this. It uses the same bar.html
template as in your question. Note that I've added some unsafe HTML to the footext
as a demonstration of why turning off autoescaping is not a safe solution to your problem.
import flask
app = flask.Flask(__name__)
footext = """f
o
<script>alert('oops')</script>
o"""
@app.route("/foo")
def foo():
text = ""
for line in footext.split('
'):
text += flask.Markup.escape(line) + flask.Markup('<br />')
return flask.render_template("bar.html", text=text)
if __name__ == "__main__":
app.run(debug=True)
Solution 2
Another option would be to push the complexity into your template, leaving you with a much simpler view. Just split footext
into lines, then you can loop over it in your template and autoescaping will take care of keeping this safe.
Simpler view:
@app.route("/foo")
def foo():
return flask.render_template("bar.html", text=footext.split('
'))
Template bar.html becomes:
<html>
{%- for line in text -%}
{{ line }}
{%- if not loop.last -%}
<br />
{%- endif -%}
{%- endfor -%}
</html>
Conclusion
I personally prefer solution 2, because it puts the rendering concerns (lines are separated by <br />
tags) in the template where they belong. If you ever wanted to change this in future to, say, show the lines in a bulleted list instead, you'd just have to change your template, not your code.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…