Skip to content

jinja2-autoescape-false (S701)#

Derived from the flake8-bandit linter.

What it does#

Checks for jinja2 templates that use autoescape=False.

Why is this bad?#

jinja2 templates that use autoescape=False are vulnerable to cross-site scripting (XSS) attacks that allow attackers to execute arbitrary JavaScript.

By default, jinja2 sets autoescape to False, so it is important to set autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities.


import jinja2


Use instead:

import jinja2

jinja2.Environment(loader=jinja2.FileSystemLoader("."), autoescape=True)