AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(api): align PUT validation autoescape with runtime (False); docs match

Browse source
This commit is contained in:
ZdenekSrotyr 2026-05-03 21:30:24 +02:00
parent 7bbf9413a6
commit d18bc4c8f7
2 changed files with 15 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/api/welcome.py
View file

@ -86,9 +86,11 @@ async def admin_put_template(
user: dict = Depends(require_admin), user: dict = Depends(require_admin),
conn: duckdb.DuckDBPyConnection = Depends(_get_db), conn: duckdb.DuckDBPyConnection = Depends(_get_db),
): ):
# Validate with autoescape=True (matches runtime environment) and # Validate with autoescape=False to match every runtime render path
# StrictUndefined so unknown placeholders are caught at save time. # (/setup page, preview endpoint, render_agent_prompt_banner). The
env = Environment(undefined=StrictUndefined, autoescape=True) # outer template applies escaping where needed via `| e`. StrictUndefined
# is kept so unknown placeholders are caught at save time.
env = Environment(undefined=StrictUndefined, autoescape=False)
try: try:
template = env.from_string(payload.content) template = env.from_string(payload.content)
# Render against a stub context so undefined placeholders or runtime # Render against a stub context so undefined placeholders or runtime

15
docs/agent-setup-prompt.md
View file

@ -34,11 +34,16 @@ row id=1). The `DELETE` endpoint NULLs `content`; the audit trail
## Template language ## Template language
[Jinja2](https://jinja.palletsprojects.com/) with `autoescape=True` and [Jinja2](https://jinja.palletsprojects.com/) with `autoescape=False` and
`StrictUndefined`. Autoescape is on because the output is rendered into HTML. `StrictUndefined`. Autoescape is off because the rendered output is composed
Any typo in a placeholder name raises an error at PUT validation time rather into the surrounding `/setup` template which applies HTML escaping where
than silently emitting an empty string — the editor reports the error needed via `| e`; doubling the escape would corrupt characters like `&` or `<`
immediately so the admin can fix it before saving. inside code blocks. All four render sites (PUT validation, preview endpoint,
`/setup` page render, `render_agent_prompt_banner`) share the same setting,
so the editor's preview matches what analysts see live. Any typo in a
placeholder name raises an error at PUT validation time rather than silently
emitting an empty string — the editor reports the error immediately so the
admin can fix it before saving.
## Available placeholders ## Available placeholders