⚾︎
2023-08-17
The documentation for the Tera template engine should follow the example of its Python twin Jinja in explaining the " | safe" filter in the context of autoescaping, to avoid new adopters getting confused as to why internally configured URL references like {{ config.base_url }} are uselessly escaped.
Tera Autoescaping: https://tera.netlify.app/docs/#auto-escaping
Jinja Autoescaping and "safe" in context: https://jinja.palletsprojects.com/en/3.1.x/templates/#working-with-automatic-escaping
If you know you have data that is already safe but not marked, be sure to wrap it in Markup or use the
|safefilter.Jinja functions (macros, super, self.BLOCKNAME) always return template data that is marked as safe.
New adopter unaware of |safe : https://zola.discourse.group/t/adding-canonical-links-to-pages/1495
Resulting issue: Github: Keats/tera/issues/849
Today I Learned
Also see TIL OWASP Cheatsheets related to the autoescaping and more security goodies.