justpy Do not HTML escape redirect URL

By default in Jinja values that don't need escaping have to be marked with the safe filter. See https://jinja.palletsprojects.com/en/3.0.x/templates/#working-with-automatic-escaping

Discovered while debugging ory/hydra#2932

Jan 12 '22 16:01 azazel75

Thanks. Does this cause a bug currently?

Jan 12 '22 16:01 elimintz

Of course, or I wouldn't have stumbled on it :smiley:

If you set a page redirect as:

page.redirect = 'http://127.0.0.1:4444/oauth2/auth?audience=&client_id=a_client&login_verifier=5bac8'

The user agent will be really redirected to http://127.0.0.1:4444/oauth2/auth?audience=&client_id=a_client&login_verifier=5bac8. I found because event's msg.page.redirect works, and the only thing different is is the templating step.

Jan 12 '22 16:01 azazel75

It would be nice to have a non JS redirect if no websocket is involved, though

Jan 12 '22 16:01 azazel75

Ok, thank you, I accept this change and it will be in the next version.

Jan 12 '22 17:01 elimintz

It would be nice to have a non JS redirect if no websocket is involved, though

The redirect does not work in AJAX mode?

Jan 12 '22 17:01 elimintz

Yes yes It works, sorry for the noise. I was thinking for my use, having the server answering a 200 and then using JS to do the redirect on simple requests where only GET/POST are involved (and no websocket/ajax is involved) is less than optimal, it would be better if JustPy answered with a 302 directly, it's more correct even from a semantic point of view and allows to serve rightly clients that just do HTTP

Jan 12 '22 17:01 azazel75

but that's another thing

Jan 12 '22 17:01 azazel75