Open tiran opened 8 years ago
One solution would be autoescaping ( cf PR ), but the FAQ recommend against that: http://jinja.pocoo.org/docs/dev/faq/
The reasons listged makes sense for applications that have a lot of program controlled output, but most of the portal has user controlled output, I think it is ok to use autoescaping to simplify the portal code.
Michael Scherer has reported a XSS vulnerabilities in jinja2 templates. According to Michael jinja2 doesn't filter HTML. All user data (name, email etc) must be filtered.