turn on autoescape in Jinja2
chadwhitacre opened this issue · comments
Chad Whitacre commented
Jinja2 sez autoescape is bad, but I disagree. See gratipay/gratipay.com#722 for discussion.
Paul Jimenez commented
I'd rather leave it the default, but document how to turn it on if you want it. Could/should also serve to document how, in general, to tweak renderers.
Chad Whitacre commented
The difference in our case is that we're almost exclusively HTML/XML in context. Jinja2 might be used for email, but aspen-jinja2 is almost certainly being used for HTML.
Charly C. commented
aspen-jinja2 should be able to determine what it's being used for (via the Content-Type) and thus whether or not it's appropriate to turn on the autoescape.
Charly C. commented
I have a branch ready for this, waiting for the next Aspen release.