Enable auto-escaping for the consent templates
... to reduce the risk of somebody introducing an html injection attack...pull/3262/head
parent
3b2def6c7a
commit
669400e22f
|
@ -114,7 +114,10 @@ class ConsentResource(Resource):
|
|||
)
|
||||
|
||||
loader = jinja2.FileSystemLoader(consent_template_directory)
|
||||
self._jinja_env = jinja2.Environment(loader=loader)
|
||||
self._jinja_env = jinja2.Environment(
|
||||
loader=loader,
|
||||
autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']),
|
||||
)
|
||||
|
||||
if hs.config.form_secret is None:
|
||||
raise ConfigError(
|
||||
|
|
Loading…
Reference in New Issue