Jinja2 Template Engine Without Autoescaping Enabled

Description

The application uses Jinja2 template engine without autoescaping enabled, which could lead to Cross-Site Scripting (XSS) attacks when rendering user-supplied input. Jinja2 does not support context-aware escaping, so it's essential to encode data depending on the specific context it's used in.

Examples

Insecure Code

python

env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'))

Secure Code

python

env = jinja2.Environment(loader=jinja2.FileSystemLoader('templates'), autoescape=jinja2.select_autoescape())

Remediation

Enable autoescaping in the Jinja2 environment by setting `autoescape=True` or using `select_autoescape` function. Additionally, consider writing custom Jinja2 filters to handle different contexts, such as escaping links and script blocks.

Rule Details

Field	Value
ID	CODE-0142
Category	Injection
Severity	MEDIUM
CWE	CWE-116
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	XSS, autoescaping
OWASP	A7:2017-Cross-Site Scripting (XSS), A03:2021-Injection

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Jinja2 Template Engine Without Autoescaping Enabled

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Jinja2 Template Engine Without Autoescaping Enabled ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Jinja2 Template Engine Without Autoescaping Enabled

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details