.html
,.htm
, .xml
as well as .xhtml
when usingrender_template()
.render_template_string()
.{%autoescape%}
tag.config
flask.config
)request
flask.request
). This variable isunavailable if the template was rendered without an active requestcontext.session
flask.session
). This variableis unavailable if the template was rendered without an active requestcontext.g
flask.g
). Thisvariable is unavailable if the template was rendered without an activerequest context.url_for
()flask.url_for()
function.get_flashed_messages
()flask.get_flashed_messages()
function.tojson
()|tojson
inside script
, make sure to disable escaping with |safe
.In Flask 0.10 and above, this happens automatically.&
, >
, <
, '
as well as '
. Because these characterscarry specific meanings in documents on their own you have to replace themby so called “entities” if you want to use them for text. Not doing sowould not only cause user frustration by the inability to use thesecharacters in text, but can also lead to security problems. (seeCross-Site Scripting (XSS))Markup
object before passing it to the template. This is in general therecommended way.|safe
filter to explicitly mark astring as safe HTML ({{myvariable|safe}}
){%autoescape%}
block:jinja_env
of the application or use thetemplate_filter()
decorator. Nfo reader for mac.