Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The Jinja2 template environment is created without enabling autoescaping, which means user-supplied data rendered in templates won’t be automatically escaped. This can lead to unsafe HTML output when displaying content in a browser.
Impact#
Without autoescaping, attackers could inject malicious scripts (XSS) into web pages, allowing them to steal user data, hijack sessions, or deface the site. This compromises both user security and the application’s integrity.