为什么要使用"|安全"在jinja2 Python中 [英] why to use " | safe" in jinja2 Python

问题描述

我正在关注Flask教程，其中他在jinja2模板中使用"| safe".为什么我们需要这个管道符号和安全性?

在不使用保险箱的情况下，它会打印所有html标签.

通过使用| safe，它显示正确的格式.为什么这样工作?

下面是jinja2代码:

{% extends "layout.html" %}

{% block body %}
    <h1>{{article.title}}</h1>
    <small>Written by {{article.author}} on {{article.create_date}}</small>
    <hr>
    <div>
        {{article.body | safe}}
    </div>
{% endblock %}

XSS

I am following a Flask tutorial where he is using " | safe " in jinja2 template. Why do we need this pipe symbol and safe?

without using safe it prints all html tags.

By using | safe, it shows proper formatting. Why does it work this way?

Below is the jinja2 code:

{% extends "layout.html" %}

{% block body %}
    <h1>{{article.title}}</h1>
    <small>Written by {{article.author}} on {{article.create_date}}</small>
    <hr>
    <div>
        {{article.body | safe}}
    </div>
{% endblock %}

解决方案

With | safe Jinja2 will print symbols as they are in your variable, that means that it won't translate "dangerous" symbols into html entities (that Jinja2 does by default to escape "dangerous" ones). Use this option if you trust variable's content because in opposite case there can be vulnerabilities for example XSS.

这篇关于为什么要使用"|安全"在jinja2 Python中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！