Enable auto-escaping for the consent templates

... to reduce the risk of somebody introducing an html injection attack...
This commit is contained in:
Richard van der Hoff 2018-05-22 14:18:53 +01:00
parent 3b2def6c7a
commit 669400e22f

View file

@ -114,7 +114,10 @@ class ConsentResource(Resource):
) )
loader = jinja2.FileSystemLoader(consent_template_directory) loader = jinja2.FileSystemLoader(consent_template_directory)
self._jinja_env = jinja2.Environment(loader=loader) self._jinja_env = jinja2.Environment(
loader=loader,
autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']),
)
if hs.config.form_secret is None: if hs.config.form_secret is None:
raise ConfigError( raise ConfigError(