jinja2 flask escaping jinja2-highlight

Question

I need to render some code in a web page, with highlight. I'm using Flask and found that I could use jinja2-highlight. It works great, but I have some problems.

What I tried :

{% highlight 'python' %}
    {{ item.text }}
 {% endhighlight %}

Seems to work, I have my 40 lines of code but all special char like &#34 ... are displayed as this. So I add the |safe to the line {{ item.text }}. And now, all char are ok, but I don't see my full code, only 5 lines (the fifth line is complete).

I think I know what is the problem but don't know hw to solve it.

I have some line in my code like or and it seems that it's not escaped. Any idea why jinja2 does not escape <> ?

I'm not clear about security question with the |safe too. What does the server risks ?

Answer 1

item.text|safe should help. It appears that you're escaping the code twice. You may have some kind of auto-escape enabled.

You don't have to care about the server safety, as long as you don't share your actual code of your site.