How do I html-escape dangerous unsanitized input in jinja2?


{{ user.username|e }}

Pipe it through the |e filter

Jinja: Template Designer Documentation -> HTML Escaping

If you want to escape html in your programme, you can do it like this(example):

>>> import jinja2
>>> jinja2.__version__
>>> a
>>> jinja2.escape(a)
>>> str(jinja2.escape(a))

You could also tell the environment to autoescape everything:

e = Environment(loader=fileloader, autoescape=True)

note: in jinja1 this is auto_escape

Flask has a built in tojson filter: