Python: Add change note for jinja2-autoescape query.

2026-05-03 12:45:27 +02:00 · 2018-11-23 14:39:22 +00:00
parent 243280dc00
commit 2518ac561e
1 changed files with 1 additions and 0 deletions
--- a/change-notes/1.19/analysis-python.md
+++ b/change-notes/1.19/analysis-python.md
@@ -58,6 +58,7 @@ A new predicate `Stmt.getAnEntryNode()` has been added to make it easier to writ
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Enabled on LGTM by default. |
 | Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Enabled on LGTM by default. |
+| Jinja2 templating with autoescape=False (`ppy/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of jinja2.Environment with `autoescape=False` which may allow XSS attacks. Not enabled on LGTM by default. |
 | Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Not enabled on LGTM by default. |

 ## Changes to existing queries