Update test_jinja2.py

Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this. Signed-off-by: Rajendran, Ramasubramanian <[email protected]>
open-telemetry · Apr 9, 2024 · c44b8b6 · c44b8b6
1 parent fdcbbdd
commit c44b8b6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py b/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py
@@ -143,7 +143,7 @@ def test_generate_inline_template(self):
     def test_file_template_with_root(self):
         with self.tracer.start_as_current_span("root"):
             loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
-            env = jinja2.Environment(loader=loader)
+            env = jinja2.Environment(loader=loader, autoescape=True)
             template = env.get_template("template.html")
             self.assertEqual(
                 template.render(name="Jinja"), "Message: Hello Jinja!"
@@ -164,7 +164,7 @@ def test_file_template_with_root(self):
 
     def test_file_template(self):
         loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
-        env = jinja2.Environment(loader=loader)
+        env = jinja2.Environment(loader=loader, autoescape=True)
         template = env.get_template("template.html")
         self.assertEqual(
             template.render(name="Jinja"), "Message: Hello Jinja!"