Skip to content

Commit

Permalink
Update test_jinja2.py
Browse files Browse the repository at this point in the history
Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this.

Signed-off-by: Rajendran, Ramasubramanian <[email protected]>
  • Loading branch information
rama280290 committed Sep 4, 2024
1 parent d6e667f commit ea2f1fb
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ def test_generate_inline_template(self):
def test_file_template_with_root(self):
with self.tracer.start_as_current_span("root"):
loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
env = jinja2.Environment(loader=loader)
env = jinja2.Environment(loader=loader, autoescape=True)
template = env.get_template("template.html")
self.assertEqual(
template.render(name="Jinja"), "Message: Hello Jinja!"
Expand All @@ -164,7 +164,7 @@ def test_file_template_with_root(self):

def test_file_template(self):
loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
env = jinja2.Environment(loader=loader)
env = jinja2.Environment(loader=loader, autoescape=True)
template = env.get_template("template.html")
self.assertEqual(
template.render(name="Jinja"), "Message: Hello Jinja!"
Expand Down

0 comments on commit ea2f1fb

Please sign in to comment.