Flask url_for URLs in Javascript

Question

What is the recommended way to create dynamic URLs in Javascript files when using flask? In the jinja2 templates and within the python views url_for is used, what is the recommended way to do this in .js files? Since they are not interpreted by the template engine.

What basically want to do is:

// in comments.js
$.post(url_for('comment.comment_reply'));

Which is not possible.

But naturally, I can execute that in a template:

<script>
    $.post(url_for('comment.comment_reply'));
</script>

Stewart Park · Accepted Answer · 2015-01-05 17:25:05Z

40

What @dumbmatter's suggesting is pretty much considered a de facto standard way. But I thought there would be a nicer way of doing it. So I managed to develop this plugin: Flask-JSGlue.

After adding {{ JSGlue.include() }}, you can do the following in your source code:

<script>
    $.post(Flask.url_for('comment.comment_reply', {article_id: 3}));
</script>

or:

<script>
    location.href = Flask.url_for('index', {});
</script>

answered Jan 5, 2015 at 17:25

Stewart Park

4165 silver badges4 bronze badges

Sign up to request clarification or add additional context in comments.

17 Comments

SUNDONG Over a year ago

This is very nice solution. I couldn't change script file path, which in my case was d3.json("{{url_for('static', filename='userdata/0af968589866013dbe09f57d3c78cc094666ff49.json')}}", because file path information is inside {{ url_for }} command, so I couldn't break. However, now I can define var usermusics as 0afblahblah.json and use it like Flask.url_for("static", {"filename": usermusics})

Stewart Park Over a year ago

Decorator sounds like a good idea. But to be fair, having an endpoint not exposed doesn't make it secure. You have to have some kind of authentication/security other than just not exposing endpoints. I'll add this to the roadmap, I think that's a valid/more secure approach. Thanks for the input, @Collin.

jpmc26 Over a year ago

@Collin In security, you generally assume your attacker knows everything about how your system works that you do (note that "how your system works" does exclude secret passwords, keys, etc.). Your system should be secure even if the attacker knows the end points. There are other ways of getting them, e.g. social engineering, infecting a legitimate user's machine, and I'm sure the list goes on. Relying on an attacker not knowing the endpoint is a form of "security through obscurity," and in practice, such techniques generally don't hold up well to a real attacker.

jpmc26 Over a year ago

@Collin Also keep in mind that your URLs are fundamentally public information. Many of your users will know them, so they would be difficult to protect anyway. And you're really only exposing a pattern, so an attacker still needs the inputs to the pattern. I don't think this small exposure of information greatly increases your risk.

jpmc26 Over a year ago

@Collin That's the point you go to your manager/client and say, "This application as it exists now has fundamental security flaws that should be addressed immediately if you value your reputation. Here is what I propose..."

|

dumbmatter · Accepted Answer · 2012-04-26 14:38:27Z

17

The Flask documentation suggests using url_for in your HTML file to set a variable containing the root URL that you can access elsewhere. Then, you would have to manually build the view URLs on top of that, although I guess you could store them similar to the root URL.

answered Apr 26, 2012 at 14:38

dumbmatter

9,7137 gold badges46 silver badges88 bronze badges

4 Comments

Erik Rothoff Over a year ago

Not that pretty, but I guess it will have to do!

dumbmatter Over a year ago

Now that I think about it again, wouldn't it be possible to write a Flask extension that sees the URL routing defined in the Python code and dynamically translates it (whenever something changes) into equivalent JavaScript code, thus providing an equivalent url_for in JavaScript?

bluenote10 Over a year ago

Adding a bit more details to the answer would be helpful. I'm doing exactly what the link recommends, but the template variable request.script_root|tojson|safe renders to an empty string for me. Unfortunately the doc link doesn't give a self-contained example and I can't figure out what it is assuming implicitly...

Mojimi Over a year ago

Yup, adding to this, if you are needing a url_for that is specifically for Javascript and doesn't fit into the HTML template, then you should probably be writing a small JS lib to do your AJAX requests. This lib could read the urls from a JSON that is dynamically created by Jinja2

Louis T · Accepted Answer · 2015-10-23 23:13:54Z

8

Was searching for a solution, them come up with this solution where

No add-on is required
No hard-coding URL

The key is to realise Jinja2 has the ability to render javascript out of the box.

Setup your template folder to something like below:

/template
    /html
        /index.html
    /js
        /index.js

In your views.py

@app.route("/index_js")
def index_js():
    render_template("/js/index.js")

Now instead of serving the javascript from your static folder. You would use:

<script src="{{ url_for('index_js') }}"></script>

After all, you are generating the javascript on the fly, it is no longer a static file.

Now, inside of you javascript file, simply use the url_for as you would in any html file.

For example using Jquery to make an Ajax request

$.ajax({
  url: {{ url_for('endpoint_to_resource') }},
  method: "GET",
  success: call_back()
})

answered Oct 23, 2015 at 23:13

Louis T

6907 silver badges16 bronze badges

2 Comments

Talia Stocks Over a year ago

I've actually used this solution, but it's important to note the performance impact of rendering all your javascript files with jinja2, and its potential impact on caching.

marvin Over a year ago

Thanks for the alternate solution. Note that you have a typo in your view function. It should be return render_template("/js/index.js") rather than render_template("/js/index.js")

Yaniv Aknin · Accepted Answer · 2013-01-10 14:40:19Z

3

@jeremy's answer is correct and probably the more common approach, but as an alternative answer, note that dantezhu wrote and published a flask extension that claims to do the exact url-route-map-to-javascript translation suggested in the comment.

edited Jan 10, 2013 at 14:40

answered Nov 29, 2012 at 16:04

Yaniv Aknin

4,2834 gold badges27 silver badges30 bronze badges

Comments

Jacopofar · Accepted Answer · 2013-03-07 10:53:28Z

2

I use this dirty and ugly trick:

"{{url_for('mypage', name=metadata.name,scale=93,group=2)}}"
.replace('93/group',scale+'/group')

where scale is the javascript variable I want to use for an AJAX request. So, url_for generate an URL and JavaScript replace the parameter at runtime. The generated code is something like:

"/ajaxservive/mynam/scale/93/group/2".replace('93/group',scale+'/group')

which is pretty strange, but still can't find more elegant solutions.

In fact, looking at the code of the linked flask extension, it does the same thing but managing the general case.

answered Mar 7, 2013 at 10:53

Jacopofar

3,5072 gold badges21 silver badges29 bronze badges

Comments

Cole Murray · Accepted Answer · 2015-04-26 00:47:54Z

1

In my case, I was trying to dynamically create urls

I solved my issue as follows (Note: I've swapped out Angular's syntax to {[x]}:

<ul>
    <li ng-repeat="x in projects">
        {[x.title]}
        {% set url = url_for('static',filename="img/") %}

        <img src="{{url}}{[x.img]}">
    </li>
</ul>

answered Apr 26, 2015 at 0:47

Cole Murray

6018 silver badges15 bronze badges

Comments

psychic_coder · Accepted Answer · 2021-11-23 20:16:44Z

1

I was able to pass a dynamically created url route to a javascript function by using "tojson" with Jinja2 and Flask.

To pass the dynmaic url from the html template to js, simply add '|tojson' at the end of your jinja statment to convert it to the appropriate format.

Instead of:

<script>
 $.post(url_for('comment.comment_reply'));
</script>

Try:

<script>
 var route = {{ url_for('comment.comment_reply')|tojson }};
 yourJavaScriptFunction(route);
</script>

Then you will be able to use the route in your js functions as the correct route for whatever you need.

yourJavaScriptFunction(route){
 console.log(route);
}

answered Nov 23, 2021 at 20:16

psychic_coder

414 bronze badges

Comments

Arindam Roychowdhury · Accepted Answer · 2018-08-14 11:03:20Z

-2

I was trying to call a FLASK route when a button is pressed. It should collect the response and update a div. The page should not reload.

I used jquery to do this.

Here's the code:

@app.route('/<name>')
def getContent(name):
    return 'This is %s' % name

HTML:

    <div id="mySpace" class="my-3">Count</div>

    <button id="next_id" class="btn btn-primary">Press</button>

    <script>
        $('#next_id').click(function (){
            $.get('/aroy', function(data, status){
            $('#mySpace').html(data);
        });
        });
    </script>

answered Aug 14, 2018 at 11:03

Arindam Roychowdhury

6,6115 gold badges59 silver badges66 bronze badges

Comments

Draken · Accepted Answer · 2016-09-09 10:58:54Z

-3

I suggest this:

<script src="{{ url_for('static', filename='js/jquery.js') }}" type="text/javascript">
</script>

Works fine for me

edited Sep 9, 2016 at 10:58

Draken

3,19614 gold badges38 silver badges56 bronze badges

answered Sep 9, 2016 at 10:16

Edmilson Mello

1

Collectives™ on Stack Overflow

Flask url_for URLs in Javascript

9 Answers 9

17 Comments

4 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

9 Answers 9

17 Comments

4 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related