demonstrate escaping with query string

slash in value would be interpreted as a path separator in the URL
Update macOS UI reference to “System Settings” (#5723 )
2025-08-18 10:19:18 -07:00 · 2025-08-18 10:08:07 -07:00 · 2025-08-18 09:56:39 -07:00 · 2025-08-18 09:45:56 -07:00 · 2025-08-18 09:42:21 -07:00 · 2025-06-04 17:24:45 -07:00
7 changed files with 31 additions and 35 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,3 +1,12 @@
+Version 3.1.2
+-------------
+
+Unreleased
+
+-   When using ``follow_redirects`` in the test client, the final state
+    of ``session`` is correct. :issue:`5786`
+
+
 Version 3.1.1
 -------------

--- a/docs/quickstart.rst
+++ b/docs/quickstart.rst
@ -139,18 +139,16 @@ how you're using untrusted data.

 .. code-block:: python

+    from flask import request
    from markupsafe import escape

-    @app.route("/<name>")
-    def hello(name):
+    @app.route("/hello")
+    def hello():
+        name = request.args.get("name", "Flask")
        return f"Hello, {escape(name)}!"

-If a user managed to submit the name ``<script>alert("bad")</script>``,
-escaping causes it to be rendered as text, rather than running the
-script in the user's browser.
-
-``<name>`` in the route captures a value from the URL and passes it to
-the view function. These variable rules are explained below.
+If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
+it to be rendered as text, rather than running the script in the user's browser.


 Routing
--- a/docs/server.rst
+++ b/docs/server.rst
@ -77,7 +77,7 @@ following example shows that process id 6847 is using port 5000.

 macOS Monterey and later automatically starts a service that uses port
 5000. You can choose to disable this service instead of using a different port by
-searching for "AirPlay Receiver" in System Preferences and toggling it off.
+searching for "AirPlay Receiver" in System Settings and toggling it off.


 Deferred Errors on Reload
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "Flask"
-version = "3.1.1"
+version = "3.1.2.dev"
 description = "A simple framework for building complex web applications."
 readme = "README.md"
 license = "BSD-3-Clause"
--- a/src/flask/testing.py
+++ b/src/flask/testing.py
@ -240,10 +240,10 @@ class FlaskClient(Client):
        response.json_module = self.application.json  # type: ignore[assignment]

        # Re-push contexts that were preserved during the request.
-        while self._new_contexts:
-            cm = self._new_contexts.pop()
+        for cm in self._new_contexts:
            self._context_stack.enter_context(cm)

+        self._new_contexts.clear()
        return response

    def __enter__(self) -> FlaskClient:
--- a/tests/test_testing.py
+++ b/tests/test_testing.py
@ -138,32 +138,21 @@ def test_blueprint_with_subdomain():
    assert rv.data == b"http://xxx.example.com:1234/foo/"


-def test_redirect_keep_session(app, client, app_ctx):
-    @app.route("/", methods=["GET", "POST"])
+def test_redirect_session(app, client, app_ctx):
+    @app.route("/redirect")
    def index():
-        if flask.request.method == "POST":
-            return flask.redirect("/getsession")
-        flask.session["data"] = "foo"
-        return "index"
+        flask.session["redirect"] = True
+        return flask.redirect("/target")

-    @app.route("/getsession")
+    @app.route("/target")
    def get_session():
-        return flask.session.get("data", "<missing>")
+        flask.session["target"] = True
+        return ""

    with client:
-        rv = client.get("/getsession")
-        assert rv.data == b"<missing>"
-
-        rv = client.get("/")
-        assert rv.data == b"index"
-        assert flask.session.get("data") == "foo"
-
-        rv = client.post("/", data={}, follow_redirects=True)
-        assert rv.data == b"foo"
-        assert flask.session.get("data") == "foo"
-
-        rv = client.get("/getsession")
-        assert rv.data == b"foo"
+        client.get("/redirect", follow_redirects=True)
+        assert flask.session["redirect"] is True
+        assert flask.session["target"] is True


 def test_session_transactions(app, client):
--- a/uv.lock
+++ b/uv.lock
@ -387,7 +387,7 @@ wheels = [

 [[package]]
 name = "flask"
-version = "3.1.1"
+version = "3.1.2.dev0"
 source = { editable = "." }
 dependencies = [
    { name = "blinker" },
@ -641,7 +641,7 @@ name = "importlib-metadata"
 version = "8.7.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
-    { name = "zipp" },
+    { name = "zipp", marker = "python_full_version < '3.10'" },
 ]
 sdist = { url = "https://files.pythonhosted.org/packages/76/66/650a33bd90f786193e4de4b3ad86ea60b53c89b669a5c7be931fac31cdb0/importlib_metadata-8.7.0.tar.gz", hash = "sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000", size = 56641, upload-time = "2025-04-27T15:29:01.736Z" }
 wheels = [
Author	SHA1	Message	Date
Badhreesh	0f83958247	demonstrate escaping with query string slash in value would be interpreted as a path separator in the URL	2025-08-18 10:19:18 -07:00
David Lord	7fea7cf156	Update macOS UI reference to “System Settings” (#5723 )	2025-08-18 10:08:07 -07:00
David Lord	24824ff666	push preserved contexts in correct order (#5797 )	2025-08-18 09:56:39 -07:00
David Lord	53b8f08218	push preserved contexts in correct order	2025-08-18 09:45:56 -07:00
David Lord	5addaf833b	start version 3.1.2	2025-08-18 09:42:21 -07:00
abhiram kamini	7bf3be8dfa	Update server.rst made changes to rename system preferences to system settings according to new mac os name change	2025-06-04 17:24:45 -07:00