From 6c5730f31a430da360c6d1cf8abc0ee3166a0376 Mon Sep 17 00:00:00 2001 From: rama280290 <131746267+rama280290@users.noreply.github.com> Date: Wed, 4 Sep 2024 17:54:25 +0530 Subject: [PATCH] Update test_jinja2.py (#2491) Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this. Signed-off-by: Rajendran, Ramasubramanian --- .../opentelemetry-instrumentation-jinja2/tests/test_jinja2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py b/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py index 26ba98e69b..98344c47e4 100644 --- a/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py +++ b/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py @@ -143,7 +143,7 @@ def test_generate_inline_template(self): def test_file_template_with_root(self): with self.tracer.start_as_current_span("root"): loader = jinja2.loaders.FileSystemLoader(TMPL_DIR) - env = jinja2.Environment(loader=loader) + env = jinja2.Environment(loader=loader, autoescape=True) template = env.get_template("template.html") self.assertEqual( template.render(name="Jinja"), "Message: Hello Jinja!" @@ -164,7 +164,7 @@ def test_file_template_with_root(self): def test_file_template(self): loader = jinja2.loaders.FileSystemLoader(TMPL_DIR) - env = jinja2.Environment(loader=loader) + env = jinja2.Environment(loader=loader, autoescape=True) template = env.get_template("template.html") self.assertEqual( template.render(name="Jinja"), "Message: Hello Jinja!"