diff --git a/src/fava/application.py b/src/fava/application.py
index 45bc5e312..4dd454bbf 100644
--- a/src/fava/application.py
+++ b/src/fava/application.py
@@ -35,6 +35,7 @@
from flask.wrappers import Response
from flask_babel import Babel # type: ignore
from flask_babel import get_translations
+from markupsafe import Markup
from werkzeug.utils import secure_filename
from fava import __version__ as fava_version
@@ -384,10 +385,12 @@ def help_page(page_slug: str) -> str:
"_layout.html",
active_page="help",
page_slug=page_slug,
- help_html=render_template_string(
- html,
- beancount_version=beancount_version,
- fava_version=fava_version,
+ help_html=Markup(
+ render_template_string(
+ html,
+ beancount_version=beancount_version,
+ fava_version=fava_version,
+ )
),
HELP_PAGES=HELP_PAGES,
)
diff --git a/src/fava/core/file.py b/src/fava/core/file.py
index 74a074253..b2b9d7538 100644
--- a/src/fava/core/file.py
+++ b/src/fava/core/file.py
@@ -22,6 +22,7 @@
from beancount.core.flags import FLAG_SUMMARIZE
from beancount.core.flags import FLAG_TRANSFER
from beancount.parser.printer import format_entry # type: ignore
+from markupsafe import Markup
from fava.core._compat import FLAG_RETURNS
from fava.core._compat import FLAG_UNREALIZED
@@ -176,7 +177,9 @@ def insert_entries(self, entries: Entries) -> None:
)
self.ledger.extensions.after_insert_entry(entry)
- def render_entries(self, entries: Entries) -> Generator[str, None, None]:
+ def render_entries(
+ self, entries: Entries
+ ) -> Generator[Markup, None, None]:
"""Return entries in Beancount format.
Only renders :class:`.Balance` and :class:`.Transaction`.
@@ -193,12 +196,14 @@ def render_entries(self, entries: Entries) -> Generator[str, None, None]:
if isinstance(entry, Transaction) and entry.flag in EXCL_FLAGS:
continue
try:
- yield get_entry_slice(entry)[0] + "\n"
+ yield Markup(get_entry_slice(entry)[0] + "\n")
except (KeyError, FileNotFoundError):
- yield _format_entry(
- entry,
- self.ledger.fava_options.currency_column,
- indent,
+ yield Markup(
+ _format_entry(
+ entry,
+ self.ledger.fava_options.currency_column,
+ indent,
+ )
)
diff --git a/src/fava/template_filters.py b/src/fava/template_filters.py
index 43876aac1..713ceadc5 100644
--- a/src/fava/template_filters.py
+++ b/src/fava/template_filters.py
@@ -12,7 +12,6 @@
from typing import MutableMapping
from typing import TypeVar
-import flask
from beancount.core import compare
from beancount.core import realization
from beancount.core.account import ACCOUNT_RE
@@ -20,6 +19,8 @@
from beancount.core.inventory import Inventory
from beancount.core.number import Decimal
from beancount.core.number import ZERO
+from flask import url_for
+from markupsafe import Markup
from fava.context import g
from fava.core.conversion import cost
@@ -145,14 +146,14 @@ def basename(file_path: str) -> str:
return unicodedata.normalize("NFC", os.path.basename(file_path))
-def format_errormsg(message: str) -> str:
+def format_errormsg(message: str) -> Markup:
"""Match account names in error messages and insert HTML links for them."""
match = re.search(ACCOUNT_RE, message)
if not match:
- return message
+ return Markup(message)
account = match.group()
- url = flask.url_for("account", name=account)
- return (
+ url = url_for("account", name=account)
+ return Markup(
message.replace(account, f'{account}')
.replace("for '", "for ")
.replace("': ", ": ")
diff --git a/src/fava/templates/_layout.html b/src/fava/templates/_layout.html
index d15d4c9f4..5fd37859f 100644
--- a/src/fava/templates/_layout.html
+++ b/src/fava/templates/_layout.html
@@ -43,7 +43,7 @@
{% block content %}
{% if content %}
- {{ content|safe }}
+ {{ content }}
{% else %}
{% include active_page + '.html' %}
{% endif %}
diff --git a/src/fava/templates/errors.html b/src/fava/templates/errors.html
index 65eaa8321..0a04db6ae 100644
--- a/src/fava/templates/errors.html
+++ b/src/fava/templates/errors.html
@@ -13,7 +13,7 @@
{% with link=url_for_source(file_path=error.source['filename'], line=error.source['lineno']) %}
| {{ error.source['filename'] }} |
{{ error.source['lineno'] }} |
- {{ error.message|format_errormsg|safe }} |
+ {{ error.message|format_errormsg }} |
{% endwith %}
{% endfor %}
diff --git a/src/fava/templates/help.html b/src/fava/templates/help.html
index 04d3ad733..0ad1fdad6 100644
--- a/src/fava/templates/help.html
+++ b/src/fava/templates/help.html
@@ -12,6 +12,6 @@ {{ _('Help pages') }}
- {{ help_html|safe }}
+ {{ help_html }}