Jinja XSS Protection Disabled

ID

python.jinja_xss_protection_disabled

Severity

high

Resource

Misconfiguration

Language

Python

Tags

CWE:80, NIST.SP.800-53, OWASP:2021:A3, OWASP:2021:A5, PCI-DSS:6.5.7, jinja

Description

Jinja HTML escaping disabled.

Rationale

Cross-Site Scripting (XSS) is a vulnerability that occurs when an application includes untrusted data in a web page without proper validation or escaping.

In Jinja, XSS protection is primarily provided by the auto-escaping feature. Not enabling auto-escaping increases the risk of introducing XSS vulnerabilities, as it requires developers to manually ensure all output is safe, which is error-prone.

from jinja2 import Environment, PackageLoader, select_autoescape

env = Environment(
    loader=PackageLoader("yourapp"),
    autoescape=False
)

Remediation

To effectively address XSS vulnerabilities when using Jinja enable the autoescape setting.

References

  • CWE-80 : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).

  • Jinja API