Block sets are now safe. This fixes #490

pallets · Jan 6, 2017 · 6a754cb · 6a754cb
1 parent e273b3a
commit 6a754cb
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -27,6 +27,7 @@ Version 2.9
   autoescaping information at call time instead of macro define time.
 - Ported a modified version of the `tojson` filter from Flask to Jinja2
   and hooked it up with the new policy framework.
+- Block sets are now marked `safe` by default.
 
 Version 2.8.2
 -------------

diff --git a/jinja2/compiler.py b/jinja2/compiler.py
@@ -1297,7 +1297,8 @@ def visit_AssignBlock(self, node, frame):
         self.blockvisit(node.body, block_frame)
         self.newline(node)
         self.visit(node.target, frame)
-        self.write(' = concat(%s)' % block_frame.buffer)
+        self.write(' = (Markup if context.eval_ctx.autoescape '
+                   'else identity)(concat(%s))' % block_frame.buffer)
         self.pop_assign_tracking(frame)
         self.leave_frame(block_frame)
 

diff --git a/tests/test_core_tags.py b/tests/test_core_tags.py
@@ -348,3 +348,9 @@ def test_block(self, env_trim):
         tmpl = env_trim.from_string('{% set foo %}42{% endset %}{{ foo }}')
         assert tmpl.render() == '42'
         assert tmpl.module.foo == u'42'
+
+    def test_block_escaping(self):
+        env = Environment(autoescape=True)
+        tmpl = env.from_string('{% set foo %}<em>{{ test }}</em>'
+                               '{% endset %}foo: {{ foo }}')
+        assert tmpl.render(test='<unsafe>') == 'foo: <em>&lt;unsafe&gt;</em>'