Skip to content

Commit 6c5730f

Browse files
rama280290rama280290
authored
Update test_jinja2.py (open-telemetry#2491)
Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this. Signed-off-by: Rajendran, Ramasubramanian <[email protected]>
1 parent d6e667f commit 6c5730f

File tree

1 file changed

+2
-2
lines changed
  • instrumentation/opentelemetry-instrumentation-jinja2/tests

1 file changed

+2
-2
lines changed

instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,7 @@ def test_generate_inline_template(self):
143143
def test_file_template_with_root(self):
144144
with self.tracer.start_as_current_span("root"):
145145
loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
146-
env = jinja2.Environment(loader=loader)
146+
env = jinja2.Environment(loader=loader, autoescape=True)
147147
template = env.get_template("template.html")
148148
self.assertEqual(
149149
template.render(name="Jinja"), "Message: Hello Jinja!"
@@ -164,7 +164,7 @@ def test_file_template_with_root(self):
164164

165165
def test_file_template(self):
166166
loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
167-
env = jinja2.Environment(loader=loader)
167+
env = jinja2.Environment(loader=loader, autoescape=True)
168168
template = env.get_template("template.html")
169169
self.assertEqual(
170170
template.render(name="Jinja"), "Message: Hello Jinja!"

0 commit comments

Comments
 (0)