Mako XSS Protection Disabled

ID

python.mako_xss_protection_disabled

Severity

high

Resource

Misconfiguration

Language

Python

Tags

CWE:80, NIST.SP.800-53, OWASP:2021:A3, OWASP:2021:A5, PCI-DSS:6.5.7, mako

Description

Mako HTML escaping disabled.

Rationale

Cross-Site Scripting (XSS) is a vulnerability that occurs when an application includes untrusted data in a web page without proper validation or escaping.

In Mako, XSS protection is primarily provided by the auto-escaping feature. Not enabling auto-escaping increases the risk of introducing XSS vulnerabilities, as it requires developers to manually ensure all output is safe, which is error-prone.

from mako.lookup import TemplateLookup

lookup = TemplateLookup(
    directories=['/your/template/dir'],
    default_filters=[]  # Empty list to disable auto-escaping
)

Remediation

To effectively address XSS vulnerabilities when using Mako always include the default_filters setting.

References

  • CWE-80 : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).

  • Mako Templates