turn on autoescape for flask.templating.render_template_string

[alanhamlett]

This seems like a sane default, since Flask turns on autoescape by default for html files when using the more common render_template so users will be expecting render_template_string to autoescape their template variables.

[untitaker]

Sensible or not, this is a drastical change in behavior and a breakage of the API that deserves more discussion than just a simple PR.

[alanhamlett]

@untitaker sure, where do we start?

[untitaker]

There are a few questions unanswered:

• How to deal with code that relies on the current default
• Whether the change is worth the compatibility breakage
• Which reasons @mitsuhiko originally had for the current default

[alanhamlett]

How to deal with code that relies on the current default

This search finds too many usages than I know how to deal with, so just a note in the release changes?
https://github.com/search?q=render_template_string&type=Code

Whether the change is worth the compatibility breakage

I'm always for breaking compatibility in favor of better defaults, but it's not only my decision.

Which reasons @mitsuhiko originally had for the current default

@mitsuhiko any input?

[alanhamlett]

What should we do about this? If this pull request isn't going to be merged I'll remove it...

[untitaker]

I think it should be included in 1.0, but mitsuhiko should decide.

It doesn't seem that he is reachable atm, but please reopen anyway.

On 23 June 2015 09:34:05 CEST, Alan Hamlett [email protected] wrote:

Closed #1176.

---

Reply to this email directly or view it on GitHub:
#1176 (comment)

[alanhamlett]

I deleted the fork, so can't reopen. Created a new pull request #1515.