gitlab.bandit.B701

385

Download Count*

License

Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B701
    patterns:
      - pattern-not: jinja2.Environment(..., autoescape=True, ...)
      - pattern-not: jinja2.Environment(..., autoescape=jinja2.select_autoescape(...), ...)
      - pattern: jinja2.Environment(...)
    message: Detected a Jinja2 environment without autoescaping. Jinja2 does not
      autoescape by default. This is dangerous if you are rendering to a browser
      because this allows for cross-site scripting (XSS) attacks. If you are in
      a web context, enable autoescaping by setting 'autoescape=True.' You may
      also consider using 'jinja2.select_autoescape()' to only enable automatic
      escaping for certain file extensions.
    metadata:
      cwe: "CWE-116: Improper Encoding or Escaping of Output"
      owasp: "A7: Cross-Site Scripting (XSS)"
      primary_identifier: bandit.B701
      secondary_identifiers:
        - name: Bandit Test ID B701
          type: bandit_test_id
          value: B701
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/v0j0