Improper Encoding or Escaping of Output
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-116: Improper Encoding or Escaping of Output |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The Jinja2 template environment is configured with autoescaping disabled. This means that user-supplied data rendered in templates is not automatically escaped, making it unsafe for web output.
Impact#
With autoescaping turned off, attackers can inject malicious scripts (XSS) into pages viewed by users, potentially leading to stolen credentials, session hijacking, or unauthorized actions performed on behalf of users. This can compromise user data and trust in your application.