I have never been exposed to this language, but like many similar examples for reference, if the input is not filtered and certain conditions happen to be met, it is very likely that the program will crash due to malicious input, or even the user information will be lost. The simplest example is to output HTML. If certain special symbols are not transferred, it will be easily attacked by malicious scripts.
I guess this language should have automatic filtering for input under certain conditions (an environment with automatic escaping enabled). If you mark it as safe, these filters will be removed and the safety will be reduced, so if it is external APIs and their inputs should not be marked safe without good reason.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
I have never been exposed to this language, but like many similar examples for reference, if the input is not filtered and certain conditions happen to be met, it is very likely that the program will crash due to malicious input, or even the user information will be lost.
The simplest example is to output HTML. If certain special symbols are not transferred, it will be easily attacked by malicious scripts.
I guess this language should have automatic filtering for input under certain conditions (an environment with automatic escaping enabled). If you mark it as safe, these filters will be removed and the safety will be reduced, so if it is external APIs and their inputs should not be marked safe without good reason.
For example
The extra large password will be output in the html...
WHY?
Because jinja2 is essentially a code generator, {{ var }} will be executed by python.
So the input needs to be escaped, and Jinja2 also enables transfer by default.