missing-autoescape-disabled
Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting ‘autoescape=True.’ You may also consider using ‘jinja2.select_autoescape()’ to only enable automatic escaping for certain file extensions.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection
incorrect-autoescape-disabled
Detected a Jinja2 environment with ‘autoescaping’ disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable ‘autoescaping’ by setting ‘autoescape=True.’ You may also consider using ‘jinja2.select_autoescape()’ to only enable automatic escaping for certain file extensions.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection
missing-autoescape-disabled
Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting ‘autoescape=True.’ You may also consider using ‘jinja2.select_autoescape()’ to only enable automatic escaping for certain file extensions.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection
incorrect-autoescape-disabled
Detected a Jinja2 environment with ‘autoescaping’ disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable ‘autoescaping’ by setting ‘autoescape=True.’ You may also consider using ‘jinja2.select_autoescape()’ to only enable automatic escaping for certain file extensions.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection