1 files changed, 14 insertions, 7 deletions

diff --git a/webapp.py b/webapp.py
index f433ccf..915e7da 100644
--- a/webapp.py
+++ b/webapp.py
@@ -13,6 +13,8 @@ import flask_sqlalchemy
 import jinja2
 import sqlalchemy
 import werkzeug
+import werkzeug.security
+
 
 app = flask.Flask("crossqa")
 app.config["SQLALCHEMY_DATABASE_URI"] = 'sqlite:///db'
@@ -311,12 +313,15 @@ def formatts(ts):
 
 @app.template_filter("formatts")
 def formatts_filter(ts):
-    return jinja2.Markup('<time title="%s" datetime="%s">%s</time>' %
-                         (ts, ts, formatts(ts)))
+    return jinja2.utils.markupsafe.Markup(
+        '<time title="%s" datetime="%s">%s</time>' % (ts, ts, formatts(ts))
+    )
 
 @app.template_filter("archpair_format")
 def archpair_format_filter(archpair):
-    return jinja2.Markup("%s &rarr; %s" % tuple(map(jinja2.escape, archpair)))
+    return jinja2.utils.markupsafe.Markup(
+        "%s &rarr; %s" % tuple(map(jinja2.utils.markupsafe.escape, archpair))
+    )
 
 def group_pairs(pairs):
     result = {}
@@ -329,10 +334,12 @@ def render_archset(subset, all_archs):
         return next(iter(subset))
     if subset == all_archs:
         return "any"
-    return "{%s}" % ", ".join(map(jinja2.escape, sorted(subset)))
+    return "{%s}" % ", ".join(
+        map(jinja2.utils.markupsafe.escape, sorted(subset))
+    )
 
 @app.template_filter('archpairs_format')
-@jinja2.contextfilter
+@jinja2.pass_context
 def archpairs_format_filter(context, some_archs):
     architectures = group_pairs(context["architectures"])
     fwdmap = {}  # build architecture -> host architecture set representation
@@ -344,7 +351,7 @@ def archpairs_format_filter(context, some_archs):
     maps = ("%s &rarr; %s" % (render_archset(buildarchs, allbuildarchs),
                               hostarchrep)
             for hostarchrep, buildarchs in flippedit)
-    return jinja2.Markup("; ".join(sorted(maps)))
+    return jinja2.utils.markupsafe.Markup("; ".join(sorted(maps)))
 
 def collect_depstate(conn, source):
     version = None
@@ -409,7 +416,7 @@ def show_log(filename):
     if filename.endswith(".xz"):
         return flask.send_from_directory("logs", filename,
                                          mimetype="application/octet-stream")
-    filename = flask.safe_join("logs", filename + ".xz")
+    filename = werkzeug.security.safe_join("logs", filename + ".xz")
     try:
         return flask.send_file(lzma.open(filename, "rb"),
                                mimetype="text/plain")