0
0
Fork 1
mirror of https://mau.dev/maunium/synapse.git synced 2024-11-16 23:11:34 +01:00

Enable auto-escaping for the consent templates

... to reduce the risk of somebody introducing an html injection attack...
This commit is contained in:
Richard van der Hoff 2018-05-22 14:18:53 +01:00
parent 3b2def6c7a
commit 669400e22f

View file

@ -114,7 +114,10 @@ class ConsentResource(Resource):
)
loader = jinja2.FileSystemLoader(consent_template_directory)
self._jinja_env = jinja2.Environment(loader=loader)
self._jinja_env = jinja2.Environment(
loader=loader,
autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']),
)
if hs.config.form_secret is None:
raise ConfigError(