== Why is this an issue? include::../rationale.adoc[] include::../impact.adoc[] == How to fix it === Code examples ==== Noncompliant code example The following code is vulnerable to server-side template injection because it is inserting untrusted inputs into a string that is then processed for rendering. + This vulnerability arises because the rendering function does not validate the input, allowing attackers to potentially inject malicious Python code for execution. [source,python,diff-id=1,diff-type=noncompliant] ---- from flask import request, render_template_string @app.route('/example') def example(): username = request.args.get('username') template = f"

Hello {username}

" return render_template_string(template) # Noncompliant ---- ==== Compliant solution [source,python,diff-id=1,diff-type=compliant] ---- from flask import request, render_template_string @app.route('/example') def example(): username = request.args.get('username') template = "

Hello {{ username }}

" return render_template_string(template, username=username) ---- === How does this work? ==== Use template variables The universal method to prevent path injection is to sanitize untrusted data. Manual sanitization is error-prone, so it is best to automate the process. Here, `render_template_string` automatically sanitizes template variables by escaping them. This means that any untrusted data will not be able to break out of the initially intended template logic. == Resources === Articles & blog posts * https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee[SSTI in Flask/Jinja2] include::../standards.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message include::../message.adoc[] === Highlighting "[varname]" is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results) ''' endif::env-github,rspecator-view[]