I'm trying to pass a variable from flask to my html code. I'm adding it as a url for a button, so a user can follow it. My problem is that the buttons don't work an when inspecting the website I see that the variables have had " added to them. Removing this makes the buttons work. HTML code:

<!DOCTYPE html>
<html>
    <head>
        <title>Test</title>
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta name="description" content="Testing buttons">
        <meta name="keywords" content="Test">
        <style>
            h1 {
                font-family: Arial, sans-serif;
                color: #2f2d2d;
                text-align: Center;
            }
            p {
                font-family: Arial, sans-serif;
                font-size: 14px;
                text-align: Center;
                color: #2f2d2d;
            }
        </style>
    </head>
    <body>
        <h1>Results</h1>
        <p>Click the buttons below to go to your results: </p>
    <button onclick={{ value1 }}>
    Yandex.com
    </body>
</html>

Value1 in my python code:

input1 = (str(""""window.location.href='""")
            str(img_search_url)   str('''';"'''))
return render_template('results.html', value1=input1)

For testing purposes let img_search_url = https://yandex.com/images/search?cbir_id=1865182/7z8tGw017Oxvkl-ZRGX7jA6207&rpt=imageview&lr=123432

Thanks

CodePudding user response：

You need to use the |safe filter as mentioned on other SO answers.

    <button onclick={{ value1|safe }}>

This ensures that the auto unescaping is turned off. If you do it on untrusted data, it can easily lead to XSS vulnerabilities though.