Pattern: Not auto escaping in Jinja2
Issue: -
Thus this rule will warn on omission of an autoescape setting in Jinja2, as well as an explicit setting of
false.
Jinja2 is a Python HTML templating system. It is typically used to build web
applications, though appears in other places well, notably the Ansible
automation system. When configuring the Jinja2 environment, the option to use
autoescaping on input can be specified. When autoescaping is enabled, Jinja2
will filter input strings to escape any HTML content submitted via template
variables. Without escaping HTML input the application becomes vulnerable to
Cross Site Scripting (XSS) attacks.
Unfortunately, autoescaping is False by default.
Example of insecure code:
import jinja2
from jinja2 import Environment
templateLoader = jinja2.FileSystemLoader( searchpath="/" )
Environment(loader=templateLoader, load=templateLoader, autoescape=False)Example of secure code:
import jinja2
from jinja2 import Environment
templateLoader = jinja2.FileSystemLoader( searchpath="/" )
Environment(loader=templateLoader, load=templateLoader, autoescape=True)