Enable auto-escaping for the consent templates

... to reduce the risk of somebody introducing an html injection attack...
7 years ago · 669400e22f
parent 3b2def6c7a
commit 669400e22f
1 changed files with 4 additions and 1 deletions
--- a/synapse/rest/consent/consent_resource.py
+++ b/synapse/rest/consent/consent_resource.py
@ -114,7 +114,10 @@ class ConsentResource(Resource):
            )

        loader = jinja2.FileSystemLoader(consent_template_directory)
-        self._jinja_env = jinja2.Environment(loader=loader)
+        self._jinja_env = jinja2.Environment(
+            loader=loader,
+            autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']),
+        )

        if hs.config.form_secret is None:
            raise ConfigError(