forked from MirrorHub/synapse
Enable auto-escaping for the consent templates
... to reduce the risk of somebody introducing an html injection attack...
This commit is contained in:
parent
3b2def6c7a
commit
669400e22f
1 changed files with 4 additions and 1 deletions
|
@ -114,7 +114,10 @@ class ConsentResource(Resource):
|
||||||
)
|
)
|
||||||
|
|
||||||
loader = jinja2.FileSystemLoader(consent_template_directory)
|
loader = jinja2.FileSystemLoader(consent_template_directory)
|
||||||
self._jinja_env = jinja2.Environment(loader=loader)
|
self._jinja_env = jinja2.Environment(
|
||||||
|
loader=loader,
|
||||||
|
autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']),
|
||||||
|
)
|
||||||
|
|
||||||
if hs.config.form_secret is None:
|
if hs.config.form_secret is None:
|
||||||
raise ConfigError(
|
raise ConfigError(
|
||||||
|
|
Loading…
Reference in a new issue