Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in jinja2 templates #44

Open
tiran opened this issue Sep 14, 2015 · 2 comments
Open

XSS in jinja2 templates #44

tiran opened this issue Sep 14, 2015 · 2 comments
Labels
bug

Comments

@tiran
Copy link
Member

tiran commented Sep 14, 2015

Michael Scherer has reported a XSS vulnerabilities in jinja2 templates. According to Michael jinja2 doesn't filter HTML. All user data (name, email etc) must be filtered.
@tiran tiran added the bug label Sep 14, 2015
mscherer added a commit to mscherer/freeipa-community-portal that referenced this issue Sep 14, 2015
@mscherer
Enable autoescaping by default, to fix freeipa#44
a89a18e
@mscherer
Copy link

One solution would be autoescaping ( cf PR ), but the FAQ recommend against that:
http://jinja.pocoo.org/docs/dev/faq/

@simo5
Copy link

simo5 commented Sep 14, 2015

The reasons listged makes sense for applications that have a lot of program controlled output, but most of the portal has user controlled output, I think it is ok to use autoescaping to simplify the portal code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mscherer @tiran @simo5