Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this.
rama280290
commented
3 months ago
Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this.
instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py:146
References:
Jinja2: API. Wikipedia: Cross-site scripting. OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet. Common Weakness Enumeration: CWE-79.