I am researching some security bugs within some websites and would like to know if jinja2 enables autoescape by default. According to the Jinja documentation (http://jinja.pocoo.org/docs/2.9/faq/#why-is-autoescaping-not-the-default), it doesn't, but while I was testing the app on a new system, it was enabled (I may have accidentally done that though, not sure.
Can anyone shine some light on this?
According to the flask
documentation:
Unless customized, Jinja2 is configured by Flask as follows:
autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using
render_template()
.
Also:
autoescaping is enabled for all strings when using
render_template_string()
.
Finally:
a template has the ability to opt in/out autoescaping with the
{% autoescape %}
tag.
So, while jinja
may not autoescape by default, flask
turns on Jinja's autoescaping by default.