hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: clean up change notes and query help.

Browse Source
This commit is contained in:
Mark Shannon
2018-11-28 15:02:47 +00:00
parent eefb45c94b
commit 21246dcbf2
3 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
View File

@@ -6,7 +6,7 @@
<overview>
<p>
Cross-site scripting attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
The <code>jinja2</code> templates may be vulnerable to XSS if the environment has <code>autoescape</code> set to <code>False</code>.
Unfortunately, <code>jinja2</code> sets <code>autoescape</code> to <code>False</code> by default.
Explicitly setting <code>autoescape</code> to <code>True</code> when creating an <code>Environment</code> object will prevent this.
@@ -23,7 +23,7 @@ For example, it can be used when creating an environment <code>Environment(autoe
<example>
<p>
The following example is a minimal flask app which shows a safe and unsafe way to render the given name back to the page.
The following example is a minimal Flask app which shows a safe and an unsafe way to render the given name back to the page.
The first view is unsafe as <code>first_name</code> is not escaped, leaving the page vulnerable to cross-site scripting attacks.
The second view is safe as <code>first_name</code> is escaped, so it is not vulnerable to cross-site scripting attacks.
</p>
@@ -32,11 +32,13 @@ The second view is safe as <code>first_name</code> is escaped, so it is not vuln
<references>
<li>
http://jinja.pocoo.org/docs/2.10/api/
Jinja2: <a href="http://jinja.pocoo.org/docs/2.10/api/">API</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
<li>
OWASP: <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
</references>
</qhelp>

2
python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Jinja2 templating with autoescape=False
* @description Using jinja2 templates with autoescape=False can
* @description Using jinja2 templates with 'autoescape=False' can
* cause a cross-site scripting vulnerability.
* @kind problem
* @problem.severity error