Enable Jinja2 Autoescape

[pixeebot]

This codemod enables autoescaping of HTML content in jinja2. Unfortunately, the jinja2 default behavior is to not autoescape when rendering templates, which makes your applications potentially vulnerable to Cross-Site Scripting (XSS) attacks.

Our codemod checks if you forgot to enable autoescape or if you explicitly disabled it. The change looks as follows:

  from jinja2 import Environment

- env = Environment()
- env = Environment(autoescape=False, loader=some_loader)
+ env = Environment(autoescape=True)
+ env = Environment(autoescape=True, loader=some_loader)
  ...

More reading

• https://owasp.org/www-community/attacks/xss/
• https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping
• https://cwe.mitre.org/data/definitions/79

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/enable-jinja2-autoescape

[pixeebot]

I'm confident in this change, and the CI checks pass, too!

If you see any reason not to merge this, or you have suggestions for improvements, please let me know!

[pixeebot]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

[pixeebot]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.