GSoC/GCI Archive
Google Code-in 2010 MoinMoin Wiki

autoescaping with jinja2 - review code and templates to prepare for it

completed by: Roboraider

mentors: Alexander Schremmer, ReimarBauer, Thomas Waldmann, Ronny Pfannschmidt

 

Abstract

You have to find all places (in the templates, in the code) where we insert HTML into the output, mark them with HHH (hahaha).

 

Details

If we want to use autoescaping, we can't directly insert HTML into the output, but the html needs to be wrapped using the Markup class of jinja2.

Your task is preparation for a more difficult follow-up task, where these issues get fixed.

Please note that you do not only have to locate the places where explicitely given html (like <b>foo</b>) is inserted, but also configurable features might be based on html fragments.

 

Benefits

Jinja2's autoescaping makes output generation more secure and less error-prone.

If autoescaping is not used and one forgets to escape some string, attackers might be able to create XSS attacks.

 

Skill Requirements

See tags.

 

You can discuss this issue in the MoinMoin wiki: http://moinmo.in/EasyToDo/autoescaping%20with%20jinja2%20-%20review%20code%20and%20templates%20to%20prepare%20for%20it