Question:
I have a python variable is defined as follows:
var = <p>some text</p>
I’d like to pass this in to HTML with Flask like this: {{ var }}. It should show up on the website as simply displaying the words “some text” but instead shows up as “<p>some text</p>” to the user and is not in a <p> tag.
How do I fix this?
Basically tell Flask that this is not XSS and it’s safe to display with |safe
{{ var | safe }}
safe, I made a typo there
Also, just curios, what’s XSS?
Cross site scripting. Basically means anyone can run JavaScript on your site.
It’s very dangerous. I’ve had to ban about twenty-five people on my chat app for attempting it.
And that works because Flask is kinda using innerText instead of innerHTML (idk if you’ve ever used those properties). If you just made the variable a text node, then you wouldn’t need the safe thing I believe.
what is a text node?
In HTML, it’s just a plain string of text that isn’t necessarily part of an element and rather its own node
okay but how would you make one with Python?
Just insert regular text…
It’s much better to wrap your text in a p or span tag though
Unless you’re suggesting this?
<p>{{ var }}</p>
Yeah, but at the same time I’d say using innerHTML/safe isn’t the greatest, but yeah
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.