~ubuntu-branches/debian/sid/bandit/sid

« back to all changes in this revision

Viewing changes to docs/jinja2.md

Committer: Package Import Robot
Author(s): Dave Walker (Daviey)
Date: 2015-07-22 09:01:39 UTC
Revision ID: package-import@ubuntu.com-20150722090139-fl0nluy0x8m9ctx4

Tags: upstream-0.12.0

Import upstream version 0.12.0

files added:

.gitignore

.gitreview

.testr.conf

AUTHORS

LICENSE

README.md

bandit

bandit/__init__.py

bandit/bandit.py

bandit/config

bandit/config/bandit.yaml

bandit/core

bandit/core/__init__.py

bandit/core/config.py

bandit/core/constants.py

bandit/core/context.py

bandit/core/extension_loader.py

bandit/core/formatters.py

bandit/core/manager.py

bandit/core/meta_ast.py

bandit/core/node_visitor.py

bandit/core/objects.py

bandit/core/result_store.py

bandit/core/test_properties.py

bandit/core/test_set.py

bandit/core/tester.py

bandit/core/utils.py

bandit/plugins

bandit/plugins/__init__.py

bandit/plugins/asserts.py

bandit/plugins/blacklist_calls.py

bandit/plugins/blacklist_imports.py

bandit/plugins/crypto_random.py

bandit/plugins/crypto_request_no_cert_validation.py

bandit/plugins/exec.py

bandit/plugins/exec_as_root.py

bandit/plugins/general_bad_file_permissions.py

bandit/plugins/general_bind_all_interfaces.py

bandit/plugins/general_hardcoded_password.py

bandit/plugins/general_hardcoded_tmp.py

bandit/plugins/injection_shell.py

bandit/plugins/injection_sql.py

bandit/plugins/injection_wildcard.py

bandit/plugins/insecure_ssl_tls.py

bandit/plugins/jinja2_templates.py

bandit/plugins/mako_templates.py

bandit/plugins/secret_config_option.py

bandit/plugins/xml.py

docs

docs/exec.md

docs/jinja2.md

docs/ssl_tls.md

docs/temp.md

docs/xml.md

docs/yaml.md

examples

examples/assert.py

examples/binding.py

examples/crypto-md5.py

examples/eval.py

examples/exec-as-root.py

examples/exec-py2.py

examples/exec-py3.py

examples/hardcoded-passwords.py

examples/hardcoded-tmp.py

examples/httplib_https.py

examples/imports-aliases.py

examples/imports-from.py

examples/imports-function.py

examples/imports-telnetlib.py

examples/imports.py

examples/jinja2_templating.py

examples/mako_templating.py

examples/marshal_deserialize.py

examples/mktemp.py

examples/multiline-str.py

examples/nonsense.py

examples/okay.py

examples/os-chmod-py2.py

examples/os-chmod-py3.py

examples/os-exec.py

examples/os-popen.py

examples/os-spawn.py

examples/os-startfile.py

examples/os_system.py

examples/paramiko_injection.py

examples/pickle_deserialize.py

examples/popen_wrappers.py

examples/random_module.py

examples/requests-ssl-verify-disabled.py

examples/secret-config-option.py

examples/skip.py

examples/sql_statements_with_sqlalchemy.py

examples/sql_statements_without_sql_alchemy.py

examples/ssl-insecure-version.py

examples/subprocess_shell.py

examples/urlopen.py

examples/utils-shell.py

examples/wildcard-injection.py

examples/xml_etree_celementtree.py

examples/xml_etree_elementtree.py

examples/xml_expatbuilder.py

examples/xml_expatreader.py

examples/xml_lxml.py

examples/xml_minidom.py

examples/xml_pulldom.py

examples/xml_sax.py

examples/xml_xmlrpc.py

examples/yaml_load.py

requirements.txt

scripts

scripts/main.py

setup.cfg

setup.py

test-requirements.txt

tests

tests/__init__.py

tests/test_basic.py

tests/test_functional.py

tests/test_node_visitor.py

tests/test_util.py

tox.ini

wordlist

wordlist/default-passwords

Show diffs side-by-side

added added

removed removed

docs/jinja2.md

jinja2 templates

=====================

From the doc page, 'Jinja2 is a modern and designer-friendly templating language

for Python." Jinja2 is the templating engine used in the common web framework

Flask.

The [Jinja2 docs](http://jinja.pocoo.org/docs/dev/api/#autoescaping) on

autoescaping indirectly state that the default behavior is autoescape=False:

"As of Jinja 2.4 the preferred way to do autoescaping is to **enable** the

Autoescape Extension and to configure a sensible default for autoescaping."

### Incorrect

With autoescape=False, the default behavior, we can see XSS is trivial if a user

controlled value is ever rendered in a jinja2 template:

```shell

>>> from jinja2 import Template

>>> t = Template("Hello darkness, my old {{ friend }}")

>>> t.render(friend="friend")

u'Hello darkness, my old friend'

>>> t.render(friend="<h1>enemy</h1>")

u'Hello darkness, my old <h1>enemy</h1>'

```

### Correct

The correct solution is to use autoescape=True, as we can see below:

```shell

>>> from jinja2 import Template

>>> t = Template("Hello darkness, my old {{ friend }}", autoescape=True)

>>> t.render(friend="friend")

u'Hello darkness, my old friend'

>>> t.render(friend="<h1>enemy</h1>")

u'Hello darkness, my old <h1>enemy</h1>'

>>>

```

## Consequences

* HTML/Javascript injection, known as XSS attacks.

## References

* https://realpython.com/blog/python/primer-on-jinja-templating/

* http://jinja.pocoo.org/docs/dev/api/#autoescaping

Older »