is it possible to escape the raw block itself so that
{% raw %}
foobar,
{% raw %}
need this verbatim with the raw block outside
{% endraw %}
{% endraw %}
gets templated out as below ?
foobar,
{% raw %}
need this verbatim with the raw block outside
{% endraw %}
I am running templates via ansible which is fed to another system which also uses jinja templating. I can probably work around this but am curios if this use case is somehow supported.
foobar,
{{ '{%' }} raw {{ '%}' }}
need this verbatim with the raw block outside
{{ '{%' }} endraw {{ '%}' }}
Related
I'm building an admin for Flask and SQLAlchemy, and I want to pass the HTML for the different inputs to my view using render_template. The templating framework seems to escape the HTML automatically, so all <"'> characters are converted to HTML entities. How can I disable that so that the HTML renders correctly?
To turn off autoescaping when rendering a value, use the |safe filter.
{{ something|safe }}
Only do this on data you trust, since rendering untrusted data without escaping is a cross-site scripting vulnerability.
MarkupSafe provides Jinja's autoescaping behavior. You can import Markup and use it to declare a value HTML safe from the code:
from markupsafe import Markup
value = Markup('<strong>The HTML String</strong>')
Pass that to the templates and you don't have to use the |safe filter on it.
From the Jinja docs section HTML Escaping:
When automatic escaping is enabled everything is escaped by default
except for values explicitly marked as safe. Those can either be
marked by the application or in the template by using the |safe
filter.
Example:
<div class="info">
{{data.email_content|safe}}
</div>
When you have a lot of variables that don't need escaping, you can use an autoescape override block:
{% autoescape false %}
{{ something }}
{{ something_else }}
<b>{{ something_important }}</b>
{% endautoescape %}
For handling line-breaks specifically, I tried a number of options before finally settling for this:
{% set list1 = data.split('\n') %}
{% for item in list1 %}
{{ item }}
{% if not loop.last %}
<br/>
{% endif %}
{% endfor %}
The nice thing about this approach is that it's compatible with the auto-escaping, leaving everything nice and safe. It can also be combined with filters, like urlize.
Of course it's similar to Helge's answer, but doesn't need a macro (relying instead on Jinja's built-in split function) and also doesn't add an unnecesssary <br/> after the last item.
Some people seem to turn autoescape off which carries security risks to manipulate the string display.
If you only want to insert some linebreaks into a string and convert the linebreaks into <br />, then you could take a jinja macro like:
{% macro linebreaks_for_string( the_string ) -%}
{% if the_string %}
{% for line in the_string.split('\n') %}
<br />
{{ line }}
{% endfor %}
{% else %}
{{ the_string }}
{% endif %}
{%- endmacro %}
and in your template just call this with
{{ linebreaks_for_string( my_string_in_a_variable ) }}
Use the safe filter in your template, and then sanitize the HTML with the bleach library in your view. Using bleach, you can whitelist the HTML tags that you need to use.
This is the safest, as far as I know. I tried both the safe filter and the Markup class, and both ways allowed me to execute unwanted JavaScript. Not very safe!
I'm trying to output the contents of a variable in raw format. Right now I have something like this:
{{ content }}
but I want to not do any processing of the page content. So if my page content is:
this text should be {{ literal }}
I would like it to generate html corresponding to exactly that, i.e. not do any variable expansion on "{{ literal }}". Is there a way to do this? I had expected a filter to be able to do this but I can't find it.
Thank you.
Make your page content this:
this text should be {% raw %}{{ literal }}{% endraw %}
Or you could do:
{% raw %}
this text should be {{ literal }}
{% endraw %}
And then on the page you'll see:
this text should be {{ literal }}
The raw tags are mentioned in the documentation here.
I have a page say index.html and a file with liquid code called tags. I want to pass a parameter which I specify in index.html to a liquid call in tags. Namely,
index.html
<div>
{% include tags param="site.categories" %}
</div>
Tags
{% assign tags_list = {{ include.param }} %}
...
The {% assign tags_list = {{ include.param }} %} does not work for some reason. Is it possible to do so because this allows me to use tags file for multiple purposes? Instead of writing liquid calls in every page Iwould be able to just do {% include tags param="something" %}. Thanks.
Well, {% include tags param="site.categories" %} is not passing the site.categories hash but the "site.categories" string.
The right syntax is :
{% include tags.html param=site.categories %}
I am attempting to output a name of a collection from the json data from the customize page of Shopify theme. I can do this fine when its on its own.
For Example:
{{ settings.collection1 }}
However I want it in a query and am not sure how to do this. Where the {{settings.collection1 is I want to output the collection name and have the products be outputted in that collection but currently all that happens is the collection name itself is outputted.
{% for product in collections.{{settings.collection1}}.products %}
{% capture productLink %}{{ product.url }}{% endcapture %}
{{product.title}}
{% endfor %}
Thanks!
Looked into the templating documentation, turns out I needed use square brackets inside of a tag when using a object.
{% for product in collections.[[settings.collection1]].products %}
{% capture productLink %}{{ product.url }}{% endcapture %}
{{product.title}}
{% endfor %}
Like This
[[settings.collection1]
{{ ... }} is used for output. You can access a collection with dot notation or square brackets. For example, these 2 lines do the same thing:
collections.frontpage.products
collections['frontpage'].products
If you want to get the collection name from the settings object, the square bracket notation is the one you'll need to use:
collections[settings.collection1].products
I have a custom Liquid filter I use in a Jekyll site,
{{ page.url | git_modified }}
Which generates the modification date from the git log (plugin code here).
Often I may add the additional filter to convert this to a string or XML schema, depending on context, e.g. {{ page.url | git_modified | date_to_string }}. Everything is hunky-dory unless for some reason my git_modified filter fails to return a time object for some post. In that case, I am trying to write a decent fail condition but cannot quite figure this out.
I'd like to just wrap my call in a liquid if statement to check if the variable is defined first:
{% if defined?( {{ page.url | git_modified }} %}
But I don't seem to be able to use Liquid tags ({{) inside Liquid block options ({%, %}). I thought I could get around this with Liquid capture:
{% capture page_modified %}{{ page.url | git_modified }}{% endcapture %}
{% if defined?(page_modified) %}
{{ page.url | git_modified | date_to_string }}
{% endif %}
but said variables do not seem to be available to the if statements. Any suggestions?
try doing it this way:
{% capture page_modified %}
{{ page.url }}
{% endcapture %}
{% if page_modified %}
{{ page.url }}
{% endif %}
If page_modified isn't defined, its value will be nil anyway, so just use the if construct as you would in pure Ruby. I tested here with jekyll 1.0.0.beta2 — jekyll new test, then created a file with the above code — and it worked. :)