Sonar: Enable Jinja2 Autoescape

sonar:python/enable-jinja2-autoescape-S5247

Importance	Review Guidance	Requires Scanning Tool
High	Merge After Review	Yes (Sonar)

This codemod acts upon the following Sonar rules: python:S5247.

This codemod enables autoescaping of HTML content in jinja2. Unfortunately, the jinja2 default behavior is to not autoescape when rendering templates, which makes your applications potentially vulnerable to Cross-Site Scripting (XSS) attacks.

Our codemod checks if you forgot to enable autoescape or if you explicitly disabled it. The change looks as follows:

  from jinja2 import Environment

- env = Environment()
- env = Environment(autoescape=False, loader=some_loader)
+ env = Environment(autoescape=True)
+ env = Environment(autoescape=True, loader=some_loader)
  ...

If you have feedback on this codemod, please let us know!

F.A.Q.

Why is this codemod marked as Merge After Review?

This codemod protects your applications against XSS attacks. However, it's possible you would like to set the autoescape parameter to a custom callable.

Codemod Settings

N/A

References

• https://owasp.org/www-community/attacks/xss/
• https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping
• Disabling auto-escaping in template engines is security-sensitive