Auto escape should be set to true
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: python-security/jinja-autoescape
Language: Python
Severity: Notice
Category: Security
CWE: 94
Description
By default, jinja2 is not autoescaping. This can lead to XSS attacks. The autoescape
parameter should always be True
.
Learn More
Non-Compliant Code Examples
import jinja2
env = jinja2.Environment(
loader=PackageLoader("yourapp"),
autoescape=False # should be True
)
from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
loader=PackageLoader("yourapp"),
autoescape=False # should be True
)
Compliant Code Examples
import jinja2
env = Environment(
loader=PackageLoader("yourapp"),
autoescape=True
)
from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
loader=PackageLoader("yourapp"),
autoescape=select_autoescape()
)
from jinja2 import Environment, PackageLoader, select_autoescape
env = Environment(
loader=PackageLoader("yourapp"),
autoescape=True
)
Seamless integrations. Try Datadog Code Analysis