python.lang.security.audit.mako-templates-detected.mako-templates-detected
Community Favorite
semgrep
Author
48,169
Download Count*
License
Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.
Run Locally
Run in CI
Defintion
rules:
- id: mako-templates-detected
pattern: mako.template.Template(...)
message: Mako templates do not provide a global HTML escaping mechanism. This
means you must escape all sensitive data in your templates using '| u' for
URL escaping or '| h' for HTML escaping. If you are using Mako to serve
web content, consider using a system such as Jinja2 which enables global
escaping.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/mako_templates.py
references:
- https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping
- https://jinja.palletsprojects.com/en/2.11.x/intro/#
category: security
technology:
- mako
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- python
severity: INFO
Examples
mako-templates-detected.py
from mako.template import Template
from mako import template
import mako
import jinja2
# ruleid:mako-templates-detected
mako.template.Template("hern")
# ruleid:mako-templates-detected
template.Template("hern")
# ruleid:mako-templates-detected
Template("hello")
# ok:mako-templates-detected
t = jinja2.Template("Hello {{ name }}")
t.render(name="world!")
Short Link: https://sg.run/Q5v4