autoescaping with jinja2 - review code and templates to prepare for it
completed by: Roboraider
mentors: Alexander Schremmer, ReimarBauer, Thomas Waldmann, Ronny Pfannschmidt
Abstract
You have to find all places (in the templates, in the code) where we insert HTML into the output, mark them with HHH (hahaha).
Details
If we want to use autoescaping, we can't directly insert HTML into the output, but the html needs to be wrapped using the Markup class of jinja2.
Your task is preparation for a more difficult follow-up task, where these issues get fixed.
Please note that you do not only have to locate the places where explicitely given html (like <b>foo</b>) is inserted, but also configurable features might be based on html fragments.
Benefits
Jinja2's autoescaping makes output generation more secure and less error-prone.
If autoescaping is not used and one forgets to escape some string, attackers might be able to create XSS attacks.
Skill Requirements
See tags.
Links
You can discuss this issue in the MoinMoin wiki: http://moinmo.in/EasyToDo/autoescaping%20with%20jinja2%20-%20review%20code%20and%20templates%20to%20prepare%20for%20it