3179e8c7b9
We were only rendering .html files before, so the old _guess_autoescape function had the effect of always autoescaping .render() (from a file) but never autoescaping .from_string(). However, most places using .from_string() actually render (Qt-)HTML via jinja, so they should escape stuff! Now, we always autoescape, except when the caller uses the jinja.environment.no_autoescape() context manager, which places rendering stylesheets now do. This impacted: - Confirm quit texts (no HTML here) - config.py loading errors (where this was found because of an error containing - a <keybinding>) - Certificate error prompts (should be fine from what I can tell, as the only user-controllable output is the hostname, which cannot contain HTML) |
||
|---|---|---|
| .. | ||
| models | ||
| __init__.py | ||
| completer.py | ||
| completiondelegate.py | ||
| completionwidget.py | ||