Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Autoescaping disabled by default is a dangerous default #528
I discovered today through an externally reported XSS that Jinja doesn't turn on autoescaping by default. This is a dangerous default, made even more dangerous by the fact that many people are introduced to Jinja through their previous knowledge of Django templates, which do have autoescaping enabled by default since 2007.
Looking through the internet, it looks like this fact is not very well known. In fact, I even found books (Python 3 Object Oriented Programming, chapter 12, cc @buchuki) that recommend using jinja2 for websites and leave autoescaping off. A random sample of Github projects also show that most people don't add autoescape=True or the autoescape extension to their project.
While I understand it would probably be a pain to migrate to a safer default at that point, the documentation should at least make it obvious that autoescaping is off by default. Maybe add autoescape=True to all examples that create a jinja2.Environment object and/or add a section very early on in the documentation.
Jinja is not only for HTML but a general-purpose template engine. I think most people use Jinja in Flask, which enables autoescape by default for HTML templates. If you integrate a template engine in your own framework, you are supposed to read the documentation on how to use it safely.
That said, I think being very clear in the docs that you should probably use autoescape when generating HTML is a good suggestion.
I would assume most major frameworks get this right (more eyes, less bugs, etc.) but there are also a lot of smaller projects integrating Jinja manually that do make this mistake.
And to be frank, Jinja's documentation is really poor on that subject. Here is what you first see when you open Jinja's documentation:
"modeled after Django's templates" and "secure" could lead to think it has Django's templates security features such as autoescaping.
Then, an example, which is HTML. And just after that, in the list of features:
Which doesn't mention it's optional and not enabled by default.
The "Basic API usage" docs page doesn't show autoescaping enabled but it doesn't show HTML either, so I guess that's fine. But then when you go to the API "Basics" page:
The first example is vulnerable to trivial XSSes. People are right to be confused.