Update test_jinja2.py (#2491)

Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code. The jinja2 templates may be vulnerable to XSS if the environment has autoescape set to False. Unfortunately, jinja2 sets autoescape to False by default. Explicitly setting autoescape to True when creating an Environment object will prevent this. Signed-off-by: Rajendran, Ramasubramanian <Ramasubramanian.Rajendran@fmr.com>
2024-09-04 17:54:25 +05:30 · 2024-09-04 17:54:25 +05:30 · 6c5730f31a
parent d6e667f3eb
commit 6c5730f31a
1 changed files with 2 additions and 2 deletions
--- a/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py
+++ b/instrumentation/opentelemetry-instrumentation-jinja2/tests/test_jinja2.py
@ -143,7 +143,7 @@ class TestJinja2Instrumentor(TestBase):
    def test_file_template_with_root(self):
        with self.tracer.start_as_current_span("root"):
            loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
-            env = jinja2.Environment(loader=loader)
+            env = jinja2.Environment(loader=loader, autoescape=True)
            template = env.get_template("template.html")
            self.assertEqual(
                template.render(name="Jinja"), "Message: Hello Jinja!"
@ -164,7 +164,7 @@ class TestJinja2Instrumentor(TestBase):

    def test_file_template(self):
        loader = jinja2.loaders.FileSystemLoader(TMPL_DIR)
-        env = jinja2.Environment(loader=loader)
+        env = jinja2.Environment(loader=loader, autoescape=True)
        template = env.get_template("template.html")
        self.assertEqual(
            template.render(name="Jinja"), "Message: Hello Jinja!"