Auto escape should be set to true

Docs > Code Analysis > Static Analysis Rules > Auto escape should be set to true

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/jinja-autoescape

Language: Python

Severity: Notice

Category: Security

CWE: 94

Description

By default, jinja2 is not autoescaping. This can lead to XSS attacks. The autoescape parameter should always be True.

Learn More

Non-Compliant Code Examples

import jinja2
env = jinja2.Environment(
    loader=PackageLoader("yourapp"),
    autoescape=False # should be True
)

from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
    loader=PackageLoader("yourapp"),
    autoescape=False # should be True
)

Compliant Code Examples

import jinja2
env = Environment(
    loader=PackageLoader("yourapp"),
    autoescape=True
)

from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
    loader=PackageLoader("yourapp"),
    autoescape=select_autoescape()
)

from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
    loader=PackageLoader("yourapp"),
    autoescape=True
)