github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Turn on auto-escaping in Jinja

Browse source 
We had XSS holes! Since we don't do cookies or authentication
they shouldn't cause any actual harm, but still really not good.

https://github.com/pallets/jinja/issues/528
This commit is contained in:
Simon Willison 2017-11-15 17:59:42 -08:00
commit 82261a638b
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
datasette/app.py
View file

@ -610,7 +610,8 @@ class Datasette:
app, app,
loader=FileSystemLoader([ loader=FileSystemLoader([
str(app_root / 'datasette' / 'templates') str(app_root / 'datasette' / 'templates')
]) ]),
autoescape=True,
) )
self.jinja.add_env('escape_css_string', escape_css_string, 'filters') self.jinja.add_env('escape_css_string', escape_css_string, 'filters')
self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters') self.jinja.add_env('quote_plus', lambda u: urllib.parse.quote_plus(u), 'filters')