== Why is this an issue?

Template engines have an HTML autoescape mechanism that protects web applications against most common cross-site-scripting (XSS) vulnerabilities.

By default, it automatically replaces HTML special characters in any template variables. This secure by design configuration should not be globally disabled.


Escaping HTML from template variables prevents switching into any execution context, like ``++<script>++``. Disabling autoescaping forces developers to manually escape each template variable for the application to be safe. A more pragmatic approach is to escape by default and to manually disable escaping when needed.


A successful exploitation of a cross-site-scripting vulnerability by an attacker allow him to execute malicious JavaScript code in a user's web browser. The most severe XSS attacks involve:

* Forced redirection
* Modify presentation of content
* User accounts takeover after disclosure of sensitive information like session cookies or passwords

This rule supports the following libraries:

* https://github.com/django/django[Django Templates]
* https://github.com/pallets/jinja[Jinja2]


=== Noncompliant code example

[source,python]
----
from jinja2 import Environment

env = Environment() # Noncompliant; New Jinja2 Environment has autoescape set to false
env = Environment(autoescape=False) # Noncompliant
----


=== Compliant solution

[source,python]
----
from jinja2 import Environment
env = Environment(autoescape=True) # Compliant
----


== Resources

* https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md[OWASP Cheat Sheet] - XSS Prevention Cheat Sheet
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
* CWE - https://cwe.mitre.org/data/definitions/80[CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)]
* CWE - https://cwe.mitre.org/data/definitions/81[CWE-81 - Improper Neutralization of Script in an Error Message Web Page]
* CWE - https://cwe.mitre.org/data/definitions/82[CWE-82 - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page]
* CWE - https://cwe.mitre.org/data/definitions/83[CWE-83 - Improper Neutralization of Script in Attributes in a Web Page]
* CWE - https://cwe.mitre.org/data/definitions/84[CWE-84 - Improper Neutralization of Encoded URI Schemes in a Web Page]
* CWE - https://cwe.mitre.org/data/definitions/85[CWE-85 - Doubled Character XSS Manipulations]
* CWE - https://cwe.mitre.org/data/definitions/86[CWE-86 - Improper Neutralization of Invalid Characters in Identifiers in Web Pages]
* CWE - https://cwe.mitre.org/data/definitions/87[CWE-87 - Improper Neutralization of Alternate XSS Syntax]



ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this configuration disabling autoescape globally.


'''
== Comments And Links
(visible only on this page)

=== on 20 Sep 2019, 14:25:22 Pierre-Yves Nicolas wrote:
\[~pierre-loup.tristant] What should be the message displayed on the issues raised for this RSPEC?

endif::env-github,rspecator-view[]