python.flask.security.xss.audit.template-autoescape-off.template-autoescape-off

Community Favorite
profile photo of returntocorpreturntocorp
Author
80,277
Download Count*

Detected a segment of a Flask template where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability, or turn autoescape on.

Run Locally

Run in CI

Defintion

rules:
  - id: template-autoescape-off
    message: Detected a segment of a Flask template where autoescaping is explicitly
      disabled with '{% autoescape off %}'. This allows rendering of raw HTML in
      this segment. Ensure no user data is rendered here, otherwise this is a
      cross-site scripting (XSS) vulnerability, or turn autoescape on.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://flask.palletsprojects.com/en/1.1.x/templating/#controlling-autoescaping
        - https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup
      category: security
      technology:
        - flask
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - regex
    paths:
      include:
        - "*.html"
    severity: WARNING
    pattern-regex: "{%\\s*autoescape\\s+false\\s*%}"

Examples

template-autoescape-off.html

<h4>From: {{ from_email }}</h4>
<h4>To:
    {% for recipient in recipients %}
    {{ recipient }}&nbsp;
    {% endfor %}
</h4>
<h4>Subject: {{subject}}</h4>
<div class="email-html" style="display: block;">
    <!-- ruleid: template-autoescape-off -->
    {% autoescape false %}
    {{ html_message }}
    {% endautoescape %}

    <!-- ruleid: template-autoescape-off -->
    {%      autoescape       false         %}
    {{ html_message }}
    {% endautoescape %}

    <!-- ruleid: template-autoescape-off -->
    {%autoescape false%}
    {{ html_message }}
    {% endautoescape %}

    <!-- ruleid: template-autoescape-off -->
    {%autoescape false %}
    {{ html_message }}
    {% endautoescape %}
</div>
<div class="email-text" style="display: none;">
    <pre>{{ body }}</pre>
</div>
<hr>