Always autoescape using minijinja

MikeMoolenaar · Mar 20, 2024 · a491552 · a491552
1 parent 6f1849a
commit a491552
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 10 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -6,7 +6,7 @@ use axum::{
 };
 use dotenv::dotenv;
 use libsql::{Builder, Connection};
-use minijinja::{path_loader, Environment};
+use minijinja::{path_loader, AutoEscape, Environment};
 use std::{env, net::SocketAddr, sync::Arc, time::Duration};
 use tower::ServiceBuilder;
 use tower_governor::{governor::GovernorConfigBuilder, GovernorLayer};
@@ -78,6 +78,7 @@ async fn main() {
     let mut jinja = Environment::new();
     jinja.set_loader(path_loader("templates"));
     jinja.add_filter("date_string", date_string);
+    jinja.set_auto_escape_callback(|_| AutoEscape::Html);
     let _ = SHARED_JINJA_ENV.set(jinja.clone());
 
     // Setup static file service

diff --git a/src/render_html.rs b/src/render_html.rs
@@ -26,15 +26,18 @@ pub fn render_block<S: Serialize>(template_name: &str, block_name: &str, context
     }
 }
 
-// TODO: Improve error handling
-pub fn render_html_str<S: Serialize>(template_raw: &str, context: S) -> Result<Html<String>, Box<dyn Error>> {
-    let template = SHARED_JINJA_ENV
+pub fn render_str<S: Serialize>(template_raw: &str, context: S) -> Option<Html<String>> {
+    match SHARED_JINJA_ENV
         .get()
         .expect("Jinja environment not initialized!")
-        .render_str(template_raw, context)?;
-    // Minijiinja does not escape html when using render()
-    let str = v_htmlescape::escape(template.as_str());
-    return Ok(Html(str.to_string()));
+        .render_str(template_raw, context)
+    {
+        Ok(str) => Some(Html(str)),
+        Err(err) => {
+            println!("Error rendering string: {}", err);
+            return Html(String::from("Woopsie! Something broke!")).into();
+        }
+    }
 }
 
 fn render<S: Serialize>(

diff --git a/src/routes/todos/create_todo.rs b/src/routes/todos/create_todo.rs
@@ -1,6 +1,6 @@
 use crate::{
     models::{todo_item::TodoItemRequest, user::User},
-    render_html::render_html_str,
+    render_html::render_str,
     AppState,
 };
 use axum::{extract::State, http::StatusCode, response::Html, Form};
@@ -30,7 +30,7 @@ pub async fn create_todo(
         return Err((StatusCode::INTERNAL_SERVER_ERROR, String::from("Unknown error")));
     }
 
-    return Ok(render_html_str(
+    return Ok(render_str(
         "Todo item '{{ title_clone }}' succesfuly added!",
         context! {
             title_clone