Should set blocks be safe by default?

[ThiefMaster]

Right now this testcase would fail:

    def test_set_block(self):
        env = Environment(extensions=['jinja2.ext.autoescape'],
                          autoescape=True)
        tmpl = env.from_string('{% set foo %}<br>{% endset %}{{ foo }}')
        assert tmpl.render() == '<br>'

>       assert tmpl.render() == '<br>'
E       assert '&lt;br&gt;' == '<br>'
E         - &lt;br&gt;
E         + <br>

The contents of a set block is very similar to a macro though, so I think this behavior is not what you'd expect. Especially since you easily get double escaping, as shown in an extended version of the testcase above:

    def test_set_block(self):
        env = Environment(extensions=['jinja2.ext.autoescape'],
                          autoescape=True)
        tmpl = env.from_string('{% set foo %}{{ bar }}<br>{% endset %}'
                               '{{ foo }}')
>       assert tmpl.render(bar='<hr>') == '&lt;hr&gt;<br>'
E       assert '&amp;lt;hr&amp;gt;&lt;br&gt;' == '&lt;hr&gt;<br>'
E         - &amp;lt;hr&amp;gt;&lt;br&gt;
E         + &lt;hr&gt;<br>

If I add the safe filter to my set block (added in #489) the testcase passes fine, but I think this is the most common use case and thus shouldn't require a filter.

[cboos]

+1, as I also got bitten by this...

Since the doc gives this example:

{% set navigation %}
   <li><a href="/">Index</a>
   <li><a href="/downloads">Downloads</a>
{% endset %}

The navigation variable then contains the navigation HTML source.

This really makes you expect that you'll get non-escaped HTML when using it, like you'd get for a macro.

[eli-collins]

If/when this does get implemented, I think something deeper is off about the 'block set' implementation that probably needs addressing at the same time...

Over in issue #486, it was suggested to use a {% filter safe %} block as a workaround, until either support for either 486 or this issue was complete.

However, the {% filter safe %} workaround yielded a surprising (to me) result:

def test_set_block(self):
    env = Environment(extensions=['jinja2.ext.autoescape'],
                      autoescape=True)
    tmpl = env.from_string('{% set foo %}{% filter safe %}<br>{% endfilter %}'
                           '{% endset %}{{ foo }}')
    result = tmpl.render()
    assert result == '<br>', result

As of v2.8, this renders <br> instead of the expected value... I'm guessing somewhere the input to the block set is being forcably escaped, despite the filter returning an html-safe string?

[mitsuhiko]

I agree it would be reasonable to change this. I think this might have been the result of an optimization.

[ThiefMaster]

When fixing this let's make sure that in case of something like this, unsafe is still properly escaped:

{% set foo %}<div>{{ unsafe }}</div>{% endset %}

[aaugustin]

I just hit this issue as well.

My workaround:

{% set foo %} ... {% endset %}
{% set foo = foo | safe %}{# workaround for https://github.com/pallets/jinja/issues/490 #}

[aaugustin]

Thanks Armin!