3
From the doc page, 'Jinja2 is a modern and designer-friendly templating language
4
for Python." Jinja2 is the templating engine used in the common web framework
7
The [Jinja2 docs](http://jinja.pocoo.org/docs/dev/api/#autoescaping) on
8
autoescaping indirectly state that the default behavior is autoescape=False:
9
"As of Jinja 2.4 the preferred way to do autoescaping is to **enable** the
10
Autoescape Extension and to configure a sensible default for autoescaping."
13
With autoescape=False, the default behavior, we can see XSS is trivial if a user
14
controlled value is ever rendered in a jinja2 template:
16
>>> from jinja2 import Template
17
>>> t = Template("Hello darkness, my old {{ friend }}")
18
>>> t.render(friend="friend")
19
u'Hello darkness, my old friend'
20
>>> t.render(friend="<h1>enemy</h1>")
21
u'Hello darkness, my old <h1>enemy</h1>'
25
The correct solution is to use autoescape=True, as we can see below:
27
>>> from jinja2 import Template
28
>>> t = Template("Hello darkness, my old {{ friend }}", autoescape=True)
29
>>> t.render(friend="friend")
30
u'Hello darkness, my old friend'
31
>>> t.render(friend="<h1>enemy</h1>")
32
u'Hello darkness, my old <h1>enemy</h1>'
37
* HTML/Javascript injection, known as XSS attacks.
40
* https://realpython.com/blog/python/primer-on-jinja-templating/
41
* http://jinja.pocoo.org/docs/dev/api/#autoescaping