5

In this example: 

from flask import Flask, render_template, redirect, session
app = Flask(__name__)
app.secret_key="secret"

@app.route('/')
def landing():
    session['results']="<p>Test one</p>"
    session['results']+="<p>Test two</p>"
    results=session['results']
    return render_template('index.html', results=results)

app.run(debug='True')

In my html, I have something like this:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Game</title>
    </head>
    <body>
    {{ results }}

    </body>
</html>

The results are an html page that does not interpret the

tags. So, I get a page that looks like this:

<p>Test One</p><p>Test Two</p>
Improve this question
6
  • What you are doing is hard, because it really isn't something you should be doing. It has the potential to introduce security problems in your application, for example if 'session['results'] contained '<script src="hacksRus.example.com/badstuff.js" type="text/javascript" /><p>Not up to mischief, honest.</p>'. A better approach would be to keep the HTML in the template file: iterate over the items in results, and wrap them in 'p' tags in the template. Commented Feb 16, 2017 at 11:16
  • Thanks for that. Makes perfect sense. In this instance, the code on the backend is the only code that updates that dictionary. It isn't user controlled. But I will see about using your method. I am super new to python, and flask. I could do this easily in javascript ;) Commented Feb 16, 2017 at 11:22
  • BTW... Would you mind sharing how you would structure the process you are describing? Commented Feb 16, 2017 at 11:23
  • Did you tried {{results|safe}} Commented Feb 16, 2017 at 11:41
  • 1
    {% for result in results %} <p>{{ result }}</p> {% endfor %} instead of just {{ results }}. The templating language is Jinja, AFAIK, and you can read about that here: jinja.pocoo.org Commented Feb 16, 2017 at 11:55

3 Answers 3

Reset to default
5

You could escape the HTML:

{{ results|safe}}

or in Python

import jinja2
results = jinja2.escape(results)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The framework is escaping the HTML in the results variable to prevent security holes. Ideally you want to keep the HTML in the template and not be passed in via the variables. The best way to achieve what you want is to iterate over the values in results variable and wrap it in p tags in the template. This can be done like this:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Game</title>
    </head>
    <body>
    {% for result in results %}
        <p>{{ result }}</p>
    {% endfor %}
    </body>
</html>

The templating language is Jinja2, and you can read about that here: http://jinja.pocoo.org/

Improve this answer

Comments

0

Try this:

from flask import Markup
results = Markup(results)
Improve this answer

1 Comment

While this code may answer the question, providing additional context regarding how and why it solves the problem will improve the answer's long-term value.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.