search

niwinz / django-jinja

Simple and nonobstructive jinja2 integration with Django.
http://niwinz.github.io/django-jinja/latest/
BSD 3-Clause "New" or "Revised" License
363 stars 102 forks source link

Vulnerability found in jinja2 version 3.1.2 #312

Closed isratmir closed 8 months ago

isratmir commented 8 months ago

Is there a way to update jinja version? Safety check fails with error:

   Vulnerability ID: 64227
   Affected spec: <3.1.3
   ADVISORY: Jinja2 before 3.1.3 is affected by a Cross-Site Scripting vulnerability. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject
   arbitrary HTML attributes into the rendered HTML template. The Jinja 'xmlattr' filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and...
   CVE-2024-22195
   For more information about this vulnerability, visit https://data.safetycli.com/v/64227/97c
   To ignore this vulnerability, use PyUp vulnerability id 64227 in safety’s ignore command-line argument or add the ignore to your safety policy file.