Flask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 3.2 HTML/XHTML FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 3.3 Security all templates. The following extensions for tem- plates trigger autoescaping: .html, .htm, .xml, .xhtml. Templates loaded from a string will have autoescaping disabled. 1.4.7 Accessing Request Data For as follows: • autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using render_template(). • autoescaping is enabled for all strings when using render_template_string()

GET /dumprequest HTTP/1.1 Host: rve.org.uk Connection: keep-alive Accept: text/html,application/ xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 GET /dumprequest HTTP/1.1 Host: rve.org.uk Connection: keep-alive Accept: text/html,application/ xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 GET /dumprequest HTTP/1.1 Host: rve.org.uk Connection: keep-alive Accept: text/html,application/ xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behav- ior can be changed globally by passing autoescape=None to the Application need additional escaping. Additionally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behav- ior can be changed globally by passing autoescape=None to the Application need additional escaping. Additionally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behav- ior can be changed globally by passing autoescape=None to the Application need additional escaping. Additionally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behav- ior can be changed globally by passing autoescape=None to the Application need additional escaping. Additionally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behavior can be changed globally by passing autoescape=None to the Application need additional escaping. Addition- ally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behavior can be changed globally by passing autoescape=None to the Application need additional escaping. Addition- ally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behavior can be changed globally by passing autoescape=None to the Application need additional escaping. Addition- ally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must

of these entries are not present). • escape: alias for tornado.escape.xhtml_escape • xhtml_escape: alias for tornado.escape.xhtml_escape • url_escape: alias for tornado.escape.url_escape • json_encode: when you execute the template. All template output is escaped by default, using the tornado.escape.xhtml_escape function. This behavior can be changed globally by passing autoescape=None to the Application need additional escaping. Addition- ally, either care must be taken to always use double quotes and xhtml_escape in HTML attributes that may contain untrusted content, or a separate escaping function must