{{ xx | safe }} filter is always being "applied"

[ang-zeyu]

Tell us about your environment

• MarkBind Version: 2.14.1

What did you do? Please include the actual source code causing the issue.

// Suppose you have
<variable name="xx">
<span>... any more html ...</span>
... html
</variable>

{{ xx }}

What did you expect to happen?

Should output the escaped version of the html < ... > .....

What actually happened? Please include the actual, raw output.

However the unescaped version is outputted. (<span>...</span>)

---

This occurs because during the resolveBaseUrl stage, decodeEntities is turned on, which turns previously escaped characters back to the unescaped versions. (noticed this in an upcoming pr that inadvertedly fixes this).

Is this intended? (note that this goes against standard nunjucks behaviour)

Our docs have also been relying on this behaviour a lot, as does the 2103 site.
While it is convenient from a user standpoint, once we start adding features that pipe in data/variables from potentially unsafe sources, it poses a security problem.

On the other hand, containing html-in-variables is really quite convenient.
If we do decide to preserve the current behaviour formally (turning off autoEscape in nunjucks variable rendering), we should provide an unsafe filter of sorts

[damithc]

The current behavior is that the adding of | safe is not needed most of the time. I'd rather choose the option that results in less work for author but for rare cases that pose security threats, can provide a safety mechanism. i.e., follow the principle 'make common things easy, rare things possible'.
What do you guys think? OK to go that route?

[ang-zeyu]

Yes think that's better, having to type | safe constantly would be quite inconvenient. Less work to do in an upcoming refactor as well 😅.