实世界里，你可能需要撰写更完整的提交信息。 提示 你可以在 GitHub 上查看本书示例程序的对应 commit：eca06dc。 进阶提示 如果你使用 Python 2.7，为了使程序正常工作，需要在脚本首行添加编码声明 # -*- coding: utf-8-*- ，并在包含中文的字符串前面添加 u 前缀。本 书中对于包含中文的字符串均添加了 u 前缀，这在 Python 3 中并不需要。 章找到。 第 3 章：模板 28 第 4 章：静态文件 静态文件（static files）和我们的模板概念相反，指的是内容不需要动态生成的文 件。比如图片、CSS 文件和 JavaScript 脚本等。 在 Flask 中，我们需要创建一个 static 文件夹来保存静态文件，它应该和程序模 块、templates 文件夹在同一目录层级，所以我们在项目根目录创建它： $ mkdir static 花括号部分的调用会返回 /static/foo.jpg 。 提示 在 Python 脚本里， url_for() 函数需要从 flask 包中导入，而在模板中 则可以直接使用，因为 Flask 把一些常用的函数和对象添加到了模板上下文（环 境）里。 添加 Favicon

mean? New technologies in HTML5 What should be used? Security Considerations Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) JSON Security Security Headers Copy/Paste to Terminal Unicode in against one of the most common security problems of modern web applications: cross-site scripting (XSS). Unless you deliberately mark insecure HTML as secure, Flask and the underlying Jinja2 template engine to use these characters in text, but can also lead to security problems. (see Cross-Site Scripting (XSS)) Sometimes however you will need to disable autoescaping in templates. This can be the case if you

against one of the most common security problems of modern web applications: cross-site scripting (XSS). Unless you delib- erately mark insecure HTML as secure, Flask and the underlying Jinja2 template to use these characters in text, but can also lead to security problems. (see Cross-Site Scripting (XSS)) Sometimes however you will need to disable autoescaping in templates. This can be the case if you you can make sure that users are not able to upload HTML files that would cause XSS problems (see Cross-Site Scripting (XSS)). Also make sure to disallow .php files if the server executes them, but who has