Enable auto-escaping templates

This will prevent most cases of insertion of HTML or other code into the generated HTML. Fixes: CVE-2015-5215 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
author: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-08-18 17:10:46 +0200
committer: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-08-21 15:45:20 +0200
commit: a503aa9c2a30a74e709d1c88099befd50fb2eb16 (patch)
tree: 7f514df6fc75652b239c26596c0d374e1f2f10d2
parent: 826e6339441546f596320f3d73304ab5f7c10de6 (diff)
download: ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.tar.gz
ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.tar.xz
ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/ipsilon/ipsilon b/ipsilon/ipsilon
index a0cc158..bec13af 100755
--- a/ipsilon/ipsilon
+++ b/ipsilon/ipsilon
@@ -60,7 +60,9 @@ else:
 template_loaders.append(FileSystemLoader(
     os.path.join(cherrypy.config['base.dir'],
                  default_template_dir)))
-template_env = Environment(loader=ChoiceLoader(template_loaders))
+template_env = Environment(loader=ChoiceLoader(template_loaders),
+                           autoescape=True,
+                           extensions=['jinja2.ext.autoescape'])
 
 if __name__ == "__main__":
     conf = {'/': {'tools.staticdir.root': os.getcwd()},
author	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-08-18 17:10:46 +0200
committer	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-08-21 15:45:20 +0200
commit	a503aa9c2a30a74e709d1c88099befd50fb2eb16 (patch)
tree	7f514df6fc75652b239c26596c0d374e1f2f10d2
parent	826e6339441546f596320f3d73304ab5f7c10de6 (diff)
download	ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.tar.gz ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.tar.xz ipsilon-a503aa9c2a30a74e709d1c88099befd50fb2eb16.zip