diff options
| author | Richard van der Hoff <richard@matrix.org> | 2018-05-22 14:18:53 +0100 |
|---|---|---|
| committer | Richard van der Hoff <richard@matrix.org> | 2018-05-22 14:58:34 +0100 |
| commit | 669400e22f514efbd846cad1f2943a48d79276b7 (patch) | |
| tree | 16910edcd2302ee240577bd64f04f54fe30dfc8f /synapse/rest | |
| parent | Merge pull request #3257 from matrix-org/rav/fonx_on_no_consent (diff) | |
| download | synapse-669400e22f514efbd846cad1f2943a48d79276b7.tar.xz | |
Enable auto-escaping for the consent templates
... to reduce the risk of somebody introducing an html injection attack...
Diffstat (limited to 'synapse/rest')
| -rw-r--r-- | synapse/rest/consent/consent_resource.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/synapse/rest/consent/consent_resource.py b/synapse/rest/consent/consent_resource.py index 306385601c..e6a6dcbefa 100644 --- a/synapse/rest/consent/consent_resource.py +++ b/synapse/rest/consent/consent_resource.py @@ -114,7 +114,10 @@ class ConsentResource(Resource): ) loader = jinja2.FileSystemLoader(consent_template_directory) - self._jinja_env = jinja2.Environment(loader=loader) + self._jinja_env = jinja2.Environment( + loader=loader, + autoescape=jinja2.select_autoescape(['html', 'htm', 'xml']), + ) if hs.config.form_secret is None: raise ConfigError( |