From 82261a638bd35c9d69a9582a898cf4dab374f76c Mon Sep 17 00:00:00 2001
From: Simon Willison <simonw@eventbrite.com>
Date: Wed, 15 Nov 2017 17:59:42 -0800
Subject: [PATCH] Turn on auto-escaping in Jinja

We had XSS holes! Since we don't do cookies or authentication
they shouldn't cause any actual harm, but still really not good.

https://github.com/pallets/jinja/issues/528
---
 datasette/app.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/datasette/app.py b/datasette/app.py
index 15cfe90a..f56695ff 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -610,7 +610,8 @@ class Datasette:
             app,
             loader=FileSystemLoader([
                 str(app_root / 'datasette' / 'templates')
-            ])
+            ]),
+            autoescape=True,
         )
         self.jinja.add_env('escape_css_string', escape_css_string, 'filters')
         self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters')