Add .svg to select_jinja_autoescape (#4840)

As SVG files are a type of XML file and are similar in nearly
all aspects to XML, .svg should also be autoescaped.

CHANGES.rst

@@ -3,6 +3,9 @@ Version 2.2.3
 
 Unreleased
 
+-   Autoescaping is now enabled by default for ``.svg`` files. Inside
+    templates this behavior can be changed with the ``autoescape`` tag.
+    :issue:`4831`
 -   Fix the type of ``template_folder`` to accept ``pathlib.Path``. :issue:`4892`
 
 

docs/templating.rst

@@ -18,7 +18,7 @@ Jinja Setup
 Unless customized, Jinja2 is configured by Flask as follows:
 
 -   autoescaping is enabled for all templates ending in ``.html``,
-    ``.htm``, ``.xml`` as well as ``.xhtml`` when using
+    ``.htm``, ``.xml``, ``.xhtml``, as well as ``.svg`` when using
     :func:`~flask.templating.render_template`.
 -   autoescaping is enabled for all strings when using
     :func:`~flask.templating.render_template_string`.

src/flask/app.py

@@ -961,11 +961,14 @@ class Flask(Scaffold):
         """Returns ``True`` if autoescaping should be active for the given
         template name. If no template name is given, returns `True`.
 
+        .. versionchanged:: 2.2
+            Autoescaping is now enabled by default for ``.svg`` files.
+
         .. versionadded:: 0.5
         """
         if filename is None:
             return True
-        return filename.endswith((".html", ".htm", ".xml", ".xhtml"))
+        return filename.endswith((".html", ".htm", ".xml", ".xhtml", ".svg"))
 
     def update_template_context(self, context: dict) -> None:
         """Update the template context with some commonly used variables.