3179e8c7b9
We were only rendering .html files before, so the old _guess_autoescape function had the effect of always autoescaping .render() (from a file) but never autoescaping .from_string(). However, most places using .from_string() actually render (Qt-)HTML via jinja, so they should escape stuff! Now, we always autoescape, except when the caller uses the jinja.environment.no_autoescape() context manager, which places rendering stylesheets now do. This impacted: - Confirm quit texts (no HTML here) - config.py loading errors (where this was found because of an error containing - a <keybinding>) - Certificate error prompts (should be fine from what I can tell, as the only user-controllable output is the hostname, which cannot contain HTML) |
||
|---|---|---|
| .. | ||
| usertypes | ||
| overflow_test_cases.py | ||
| test_debug.py | ||
| test_error.py | ||
| test_javascript_string_escape.html | ||
| test_javascript.py | ||
| test_jinja.py | ||
| test_log.py | ||
| test_qtutils.py | ||
| test_standarddir.py | ||
| test_typing.py | ||
| test_urlutils.py | ||
| test_utils.py | ||
| test_version.py | ||