Block sets are now safe. This fixes #490

diff --git a/CHANGES b/CHANGES
index 5f69137d8951f26cbfcfc977f6dc7ed664e8b128..65bf9691662c5e2902292326cc551e075592824a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -27,6 +27,7 @@ Version 2.9
   autoescaping information at call time instead of macro define time.
 - Ported a modified version of the `tojson` filter from Flask to Jinja2
   and hooked it up with the new policy framework.
+- Block sets are now marked `safe` by default.
 
 Version 2.8.2
 -------------

diff --git a/jinja2/compiler.py b/jinja2/compiler.py
index cc808e9d861f5874bd98643176f5642d2b6bfd08..02ae30888fc7ead9e9b411c8d137d98c89585088 100644 (file)
--- a/jinja2/compiler.py
+++ b/jinja2/compiler.py
@@ -1297,7 +1297,8 @@ class CodeGenerator(NodeVisitor):
         self.blockvisit(node.body, block_frame)
         self.newline(node)
         self.visit(node.target, frame)
-        self.write(' = concat(%s)' % block_frame.buffer)
+        self.write(' = (Markup if context.eval_ctx.autoescape '
+                   'else identity)(concat(%s))' % block_frame.buffer)
         self.pop_assign_tracking(frame)
         self.leave_frame(block_frame)
 

diff --git a/tests/test_core_tags.py b/tests/test_core_tags.py
index 7d49d8a9f9365098882d0e23e5cafa24092506ba..0a865f53eafcf221d2bf17d6593ea1524d0f5dfa 100644 (file)
--- a/tests/test_core_tags.py
+++ b/tests/test_core_tags.py
@@ -348,3 +348,9 @@ class TestSet(object):
         tmpl = env_trim.from_string('{% set foo %}42{% endset %}{{ foo }}')
         assert tmpl.render() == '42'
         assert tmpl.module.foo == u'42'
+
+    def test_block_escaping(self):
+        env = Environment(autoescape=True)
+        tmpl = env.from_string('{% set foo %}<em>{{ test }}</em>'
+                               '{% endset %}foo: {{ foo }}')
+        assert tmpl.render(test='<unsafe>') == 'foo: <em>&lt;unsafe&gt;</em>'