From 0403d3d045ac74a08f9ecd5a5eb52e4354b486f4 Mon Sep 17 00:00:00 2001
From: Garrett Robinson <garrett.f.robinson@gmail.com>
Date: Fri, 30 Dec 2016 12:40:05 -0500
Subject: [PATCH] Make render_template_string autoescape by default in Flask
 versions < 0.11

---
 onionshare/web.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/onionshare/web.py b/onionshare/web.py
index e50c0ed9..9f0b02cf 100644
--- a/onionshare/web.py
+++ b/onionshare/web.py
@@ -17,12 +17,29 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
+from distutils.version import StrictVersion as Version
 import queue, mimetypes, platform, os, sys, socket, logging
 from urllib.request import urlopen
+
 from flask import Flask, Response, request, render_template_string, abort
+from flask import __version__ as flask_version
 
 from . import strings, helpers
 
+
+def _safe_select_jinja_autoescape(self, filename):
+    if filename is None:
+        return True
+    return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))
+
+# Starting in Flask 0.11, render_template_string autoescapes template variables
+# by default. To prevent content injection through template variables in
+# earlier versions of Flask, we force autoescaping in the Jinja2 template
+# engine if we detect a Flask version with insecure default behavior.
+if Version(flask_version) < Version('0.11'):
+    # Monkey-patch in the fix from https://github.com/pallets/flask/commit/99c99c4c16b1327288fd76c44bc8635a1de452bc
+    Flask.select_jinja_autoescape = _safe_select_jinja_autoescape
+
 app = Flask(__name__)
 
 # information about the file