Where possible, a secure approach is to wrap your string in a Markup object before passing it to the template:

在可能的情况下，一种安全的方法是在将字符串传递给模板之前将其包装在一个 Markup 对象中：

Python code:

蟒蛇代码：

from flask import Markup

message = Markup("<h1>Voila! Platform is ready to used</h1>")
flash(message)
return render_template('output.html')

Jinja2 Template:

Jinja2 模板：

<div class="flashes">
  {% for message in get_flashed_messages() %}
    {{ message }}
  {% endfor %}
</div>

Using {{message|safe}}will work, but also opens up the door for an attacker to inject malicious HTML or Javascript into your page, also known an an XSS attack. More info hereif you're interested.

使用{{message|safe}}会起作用，但也会为攻击者打开大门，将恶意 HTML 或 Javascript 注入您的页面，也称为 XSS 攻击。如果您有兴趣，请在此处了解更多信息。

Use the safefilter:

使用safe过滤器：

<div class="flashes">
  {% for message in get_flashed_messages()%}
    {{ message|safe }}
  {% endfor %}
</div>

FOr cases where you might want to control the css applied depending on the status of message (Success | Error), the following code might be useful

对于您可能希望根据消息的状态（成功 | 错误）控制应用的 css 的情况，以下代码可能有用

{% for category, msg in get_flashed_messages(with_categories=true) %}

    <div class="alert {{ category }} alert-dismissible" role="alert">
                            <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button>
                           {{ msg|safe }}
    </div>

{% endfor %}

{% 结束为 %}

Another way is to call render_templateto the external HTML file and passing that to Markupclass.

另一种方法是调用render_template外部 HTML 文件并将其传递给Markup类。

main/routes.py

主要/路线.py

from flask import render_template, flash, Markup
from . import blueprint

@blueprint.route("/user")
def user():
    flash(Markup(render_template("templates/user.html", name="John Doe"))
    return render_template("templates/home.html")

templates/user.html

模板/用户.html

<h1>User: {{ name }}</h1>