python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off
Community Favorite
semgrep
Author
80,277
Download Count*
License
Detected a segment of a Flask template where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.
Run Locally
Run in CI
Defintion
rules:
- id: template-autoescape-off
message: Detected a segment of a Flask template where autoescaping is explicitly
disabled with '{% autoescape off %}'. This allows rendering of raw HTML in
this segment. Ensure no user data is rendered here, otherwise this is a
cross-site scripting (XSS) vulnerability, or turn autoescape on.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping
- https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
category: security
technology:
- flask
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
paths:
include:
- "*.html"
severity: WARNING
pattern-regex: "{%\\s*autoescape\\s+false\\s*%}"
Examples
template-autoescape-off.html
<h4>From: {{ from_email }}</h4>
<h4>To:
{% for recipient in recipients %}
{{ recipient }}
{% endfor %}
</h4>
<h4>Subject: {{subject}}</h4>
<div class="email-html" style="display: block;">
<!-- ruleid: template-autoescape-off -->
{% autoescape false %}
{{ html_message }}
{% endautoescape %}
<!-- ruleid: template-autoescape-off -->
{% autoescape false %}
{{ html_message }}
{% endautoescape %}
<!-- ruleid: template-autoescape-off -->
{%autoescape false%}
{{ html_message }}
{% endautoescape %}
<!-- ruleid: template-autoescape-off -->
{%autoescape false %}
{{ html_message }}
{% endautoescape %}
</div>
<div class="email-text" style="display: none;">
<pre>{{ body }}</pre>
</div>
<hr>
Short Link: https://sg.run/Bkn2