askama/testing/templates, branch main added poem support Allow included templates to `extend`, `import`, and `macro` 2024-01-17T16:58:53+00:00 max gmx.sht@gmail.com 2023-12-11T14:43:16+00:00 5cad82f38e800a42717284f20e7e0923add1e32f Signed-off-by: max <gmx.sht@gmail.com> 
Signed-off-by: max <gmx.sht@gmail.com>
Add better support for rust-like number literals (#908) 2023-11-22T15:09:33+00:00 PizzasBear 43722034+PizzasBear@users.noreply.github.com 2023-11-22T15:09:33+00:00 696561003d9caaf5d1fd537d6a0f4f88fccca8ce Signed-off-by: max <gmx.sht@gmail.com> 
Signed-off-by: max <gmx.sht@gmail.com>
 Enhance match to include multiple targets (#911) 2023-11-22T13:56:14+00:00 PizzasBear 43722034+PizzasBear@users.noreply.github.com 2023-11-22T13:56:14+00:00 48c6cd327d3c1df4218898be509250efcc56597c Signed-off-by: max <gmx.sht@gmail.com> 
Signed-off-by: max <gmx.sht@gmail.com>
 Add test specifically for named blocks, and named macros 2023-10-23T13:13:27+00:00 Guillaume Gomez guillaume1.gomez@gmail.com 2023-10-23T11:32:37+00:00 a7f5186bf49ef20010c2eae7717b3a738a3b548e 






Add test for macro self argument
2023-10-12T11:57:48+00:00

max
gmx.sht@gmail.com

2023-10-12T11:47:49+00:00

5ee2dfbe6bf901c7c731e9b94ba92b82f09e9101

Signed-off-by: max <gmx.sht@gmail.com>





Signed-off-by: max <gmx.sht@gmail.com>







Fix Rust macro invocations not accepting a path (#837)
2023-07-24T09:39:14+00:00

Matthew Taylor
wrapperup4@gmail.com

2023-07-24T09:39:14+00:00

ac8de6260e34c7dc7f7f2228e832d1860a31707d












Allow macros to be defined and called without arguments
2023-06-12T08:35:40+00:00

mataha
mataha@users.noreply.github.com

2023-06-10T02:57:56+00:00

cba1fb8e508eae87d213e7bc4c7b2eb8b4b92732

This commit introduces a shorthand for defining and calling macros when
using them as a reusable substitute for variables assigned complex values
(e.g. string literals with or without newline escapes). The use-case is
formatting - from my experience it's easier to visually parse a `macro`
`endmacro` block than a multiline variable assignment.

Signed-off-by: mataha <mataha@users.noreply.github.com>





This commit introduces a shorthand for defining and calling macros when
using them as a reusable substitute for variables assigned complex values
(e.g. string literals with or without newline escapes). The use-case is
formatting - from my experience it's easier to visually parse a `macro`
`endmacro` block than a multiline variable assignment.

Signed-off-by: mataha <mataha@users.noreply.github.com>







Propogate size_hint from sub-blocks (#788)
2023-03-06T21:18:45+00:00

Andrew Dona-Couch -- GitHub drop ICE
hi@andrewcou.ch

2023-03-06T21:18:45+00:00

dc864486ec8c258388b4e006d9517e6e30c34a4d

Closes #786




Closes #786






Allow `{% endmacro name %}`
2022-04-29T11:35:20+00:00

Bastien Orivel
bastien@technocreatives.com

2022-04-29T11:12:18+00:00

ea66be1925456285f897bc00a076e4e7af94c313

Just migrated a repo from tera to askama and this was one of the only
things that was different. This is also coherent with `{% block %}` for
which I added the same feature years ago.





Just migrated a repo from tera to askama and this was one of the only
things that was different. This is also coherent with `{% block %}` for
which I added the same feature years ago.







Make json filter safe
2022-02-16T13:51:39+00:00

René Kijewski
kijewski@library.vetmed.fu-berlin.de

2022-02-01T14:32:37+00:00

29f0c0607ad3d25491f4c4a6ca19b463610ae92d

Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.

In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.

This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `&quot`. In scripts the
programmer should use the safe filter, otherwise not.





Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.

In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.

This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `&quot`. In scripts the
programmer should use the safe filter, otherwise not.