This commit is contained in:
Necdet Erdogan 2025-07-10 13:52:54 +03:00 committed by GitHub
commit b60f2ae85d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -34,7 +34,6 @@ from flask import (
abort, abort,
make_response, make_response,
send_file, send_file,
__version__ as flask_version,
) )
from flask_compress import Compress from flask_compress import Compress
from flask_socketio import SocketIO from flask_socketio import SocketIO
@ -134,13 +133,7 @@ class Web:
# Use a custom Request class to track upload progress # Use a custom Request class to track upload progress
self.app.request_class = ReceiveModeRequest self.app.request_class = ReceiveModeRequest
# Starting in Flask 0.11, render_template_string autoescapes template variables
# by default. To prevent content injection through template variables in
# earlier versions of Flask, we force autoescaping in the Jinja2 template
# engine if we detect a Flask version with insecure default behavior.
if Version(flask_version) < Version("0.11"):
# Monkey-patch in the fix from https://github.com/pallets/flask/commit/99c99c4c16b1327288fd76c44bc8635a1de452bc
Flask.select_jinja_autoescape = self._safe_select_jinja_autoescape
self.security_headers = [ self.security_headers = [
("X-Frame-Options", "DENY"), ("X-Frame-Options", "DENY"),