Log in

Jinja

Jinja is a "general purpose templating language."

Weaknesses

Warning:

Jinja's escaping will not protect you from Cross-Site Scripting if you do not quote your HTML attributes.

Always quote your HTML attributes!

Escaping

Jinja has manual HTML entity escaping through the |e filter or automatic HTML entity escaping through the autoescaping extension.

The escape method is shown below. It replaces all occurrences of &, <, >, ', and " characters in a variable. Characters are replaced in that order with their respective HTML entity encoded counterparts.

Code for 2.5:

791         return Markup(unicode(s)
792             .replace('&', '&amp;')
793             .replace('>', '&gt;')
794             .replace('<', '&lt;')
795             .replace("'", '&#39;')
796             .replace('"', '&#34;')
797         )
Automatic Escaping

In Jinja 2.4 there is autoescaping functionality which will escape any variable displayed in a template. The autoescape extension must be enabled in the environment. To enable the autoescape extension, modify your Environment instantiation to look similar to this:

env = Environment(autoescape=True, extensions=['jinja2.ext.autoescape'])
Manual Escaping

There is a |e filter which manually HTML escapes the variable passed through it.

  • Version: latest
  • Edited by Craig Younkins on 6/23/10 11:55 AM
  • History
  • Edit

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine