This will prevent most cases of insertion of HTML or other
code into the generated HTML.
Fixes: CVE-2015-5215
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
template_loaders.append(FileSystemLoader(
os.path.join(cherrypy.config['base.dir'],
default_template_dir)))
template_loaders.append(FileSystemLoader(
os.path.join(cherrypy.config['base.dir'],
default_template_dir)))
-template_env = Environment(loader=ChoiceLoader(template_loaders))
+template_env = Environment(loader=ChoiceLoader(template_loaders),
+ autoescape=True,
+ extensions=['jinja2.ext.autoescape'])
if __name__ == "__main__":
conf = {'/': {'tools.staticdir.root': os.getcwd()},
if __name__ == "__main__":
conf = {'/': {'tools.staticdir.root': os.getcwd()},