apply HTML-autoescaping to all values

jkhsjdhjs · jkhsjdhjs · commit c673e1ff008e · 2025-03-03T16:29:01.000+01:00
Providing a custom autoescape function is currently not possible, so only HTML can be autoescaped for now (see #13). The filter `escape_md`, is added to escape markdown, but it needs to be applied manually.
diff --git a/README.md b/README.md
@@ -144,6 +144,16 @@ For more information on Jinja2 templates please refer to https://jinja.palletspr
 For more information on URL path templates in aiohttp, see https://docs.aiohttp.org/en/stable/web_quickstart.html#variable-resources.
 
 
+### Escaping
+HTML-escaping is performed on all values automatically.
+To prevent a value from being escaped, use the `safe` filter: `{{ foo | safe }}`
+Refer to the Jinja2 docs for more information on autoescaping: https://jinja.palletsprojects.com/en/stable/templates/#working-with-automatic-escaping
+
+> [!WARNING]
+> While HTML is escaped automatically, markdown is not. It needs to be escaped manually via the `escape_md` filter: `{{ foo | escape_md }}`
+> This behavior will eventually change when Jinja2 allows custom autoescape functions (see [#13](https://github.com/jkhsjdhjs/maubot-webhook/issues/13) for more information).
+
+
 
 ## Building
 Use the `mbc` tool to build this plugin:
@@ -162,6 +172,7 @@ zip -9r webhook.mbp *
 ```
 
 
+
 ## License
 <img align="right" src="https://www.gnu.org/graphics/agplv3-155x51.png"/>
 
diff --git a/webhook.py b/webhook.py
@@ -26,6 +26,13 @@
 from mautrix.util.config import BaseProxyConfig, ConfigUpdateHelper
 import mautrix.types
 import jinja2
+import re
+
+
+def escape_md(value: str) -> str:
+    # based on https://github.com/tulir/gomuks/blob/e0f107f0285936964afeeec8f4efbb312d9e3c22/web/src/util/markdown.ts
+    # replacing < and > is not necessary as HTML autoescaping is performed anyway
+    return re.sub(r'([\\`*_[\]])', r'\\\1', value)
 
 
 class Config(BaseProxyConfig):
@@ -120,7 +127,7 @@ def reload_template(self, key: str) -> None:
 
     def load_template(self, key: str) -> None:
         try:
-            self.templates[key] = jinja2.Template(self.config[key])
+            self.templates[key] = self.jinja_env.from_string(self.config[key])
         except jinja2.TemplateSyntaxError as e:
             # avoid 'During handling of the above exception, another exception occurred'
             # to keep the error message in the log as short as possible.
@@ -146,6 +153,9 @@ def register_webhook(self) -> None:
 
     async def start(self) -> None:
         self.templates: Dict[str, jinja2.Template] = {}
+        self.jinja_env: jinja2.Environment = jinja2.Environment(autoescape=True)
+        self.jinja_env.filters["escape_md"] = escape_md
+
         self.config.load_and_update()
         self.load_template("room")
         self.load_template("message")
