Flask returns variable as text with quotes instead as html element

Question

i am trying to insert to a jinga template a html text which will be submited as variable from the python script

Python:

@app.route('/faq', defaults={'faq_id': "keine_id"})
@app.route('/faq/<string:faq_id>')
def faq(faq_id):
    return render_template('faq.html', beschreibung=f"<p>{data['beschreibung']}</p>")

HTML:

    <div class="col-12 col-lg-5">
        <div class="single_product_desc">
            <div class="product-meta-data">
                <p class="product-price">{{titel}}</p>
            </div>
            {{ beschreibung }}
        </div>
    </div>

If i visit the webpage the webpage loads my variable as text not as html code, instead there are just quotes arround my text and the paragraph tags get ignored:

Anyone knows how to fix this?

best regards!

score 2 · Accepted Answer · answered Feb 14 '21 at 22:43

2

You should use the jinja2 filter "safe" to suppress the automatic escaping.

{{ beschreibung | safe }}

answered Feb 14 '21 at 22:43

Detlef

6,137
2
6
24

3

With this method OP should be careful `data['beschreibung']` doesn't contain unvalidated user input. If an attacker is able to get something like a ` – v25 Feb 14 '21 at 22:48
2

@v25 is correct. You should validate the input and possibly perform the escaping yourself. See [following](https://flask.palletsprojects.com/en/1.1.x/api/#flask.escape). – Detlef Feb 14 '21 at 23:08
alright, thank you guys! – Oliver W Feb 15 '21 at 21:21

Flask returns variable as text with quotes instead as html element

1 Answers1