hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ginsbach/OverlayCallerJava
codeql/python/ql/test/query-tests/Security/CWE-074-TemplateInjection/JinjaSsti.py
Joe Farebrother 1cb01a286d Add tests for jinja
2024-12-09 19:55:36 +00:00

32 lines
849 B
Python
Raw Permalink Blame History

from django.urls import path
from django.http import HttpResponse
from jinja2 import Template
from jinja2 import Environment, DictLoader, escape
def a(request):
# Load the template
template = request.GET['template']
t = Template(template) # BAD: Template constructed from user input
name = request.GET['name']
# Render the template with the context data
html = t.render(name=escape(name))
return HttpResponse(html)
def b(request):
import jinja2
# Load the template
template = request.GET['template']
env = Environment()
t = env.from_string(template) # BAD: Template constructed from user input
name = request.GET['name']
# Render the template with the context data
html = t.render(name=escape(name))
return HttpResponse(html)
urlpatterns = [
path('a', a),
path('b', b)
]
Reference in New Issue View Git Blame Copy Permalink