Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.
By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.
Escaping HTML from template variables prevents switching into any execution context, like <script>. Disabling autoescaping
forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to
manually disable escaping when needed.
A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:
This rule raises supports the following libraries:
from jinja2 import Environment env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false env = Environment(autoescape=False) # Noncompliant
from jinja2 import Environment env = Environment(autoescape=True) # Compliant