mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-05-19 21:00:15 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
92a081d37c23652595ec7c75ddc67a4da0eec058
TimeTracker/app/utils/safe_template_render.py
T
Dries Peeters 786d88bdba style: apply black 24.8.0 and isort across app/ 
Pure formatting pass to satisfy ``./scripts/run-ci-local.sh code-quality``:
no behavioural changes, just consistent line wrapping, import ordering,
and trailing-newline normalization across routes, models, services, and
utility modules.
2026-05-13 10:31:39 +02:00

25 lines
863 B
Python
Raw Blame History

"""Sandboxed Jinja2 for database-stored templates (PDF HTML, ReportLab strings, invoice email HTML)."""
from __future__ import annotations
from typing import Any
from jinja2.sandbox import SandboxedEnvironment, SecurityError
def render_sandboxed_string(source: str, *, autoescape: bool = True, **context: Any) -> str:
"""Render ``source`` with only ``context`` keys visible (no Flask ``config`` / ``request``).
``autoescape=True`` for HTML/CSS (WeasyPrint, browsers). ``autoescape=False`` for ReportLab
text so markup is not HTML-entity-encoded.
Raises ``jinja2.sandbox.SecurityError`` on blocked attribute access typical of SSTI.
"""
if not source:
return ""
env = SandboxedEnvironment(autoescape=autoescape)
return env.from_string(source).render(**context)
__all__ = ["SecurityError", "render_sandboxed_string"]
Reference in New Issue View Git Blame Copy Permalink