jinja2-autoescape-false (S701)#
Derived from the flake8-bandit linter.
What it does#
Checks for jinja2
templates that use autoescape=False
.
Why is this bad?#
jinja2
templates that use autoescape=False
are vulnerable to cross-site
scripting (XSS) attacks that allow attackers to execute arbitrary
JavaScript.
By default, jinja2
sets autoescape
to False
, so it is important to
set autoescape=True
or use the select_autoescape
function to mitigate
XSS vulnerabilities.
Example#
Use instead: