Flask check: Unescaped file extension

Flask will not autoescape Jinja templates that do not have .html, .htm, .xml, or .xhtml as extensions. This check will alert you if you do not have one of these extensions. This check will also do its best to detect if context variables are escaped if a non-escaped extension is used.

Description

Flask does not autoescape Jinja templates that do not have the .html, .htm, .xml, or .xhtml file extensions. This behavior is described in the Flask documentation here: https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup.


Flask will autoescape in this case:

@app.route("/safe")
def safe():
    return render_template("safe.html", hello=request.args.get("hello"))

But, Flask will not autoescape in this case:

@app.route("/unsafe")
def unsafe():
    return render_template("unsafe.txt", hello=request.args.get("hello"))

References