I am researching some security bugs within some websites and would like to know if jinja2 enables autoescape by default. According to the Jinja documentation (http://jinja.pocoo.org/docs/2.9/faq/#why-is-autoescaping-not-the-default), it doesn't, but while I was testing the app on a new system, it was enabled (I may have accidentally done that though, not sure.
Can anyone shine some light on this?
According to the flask documentation:
Unless customized, Jinja2 is configured by Flask as follows:
autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using
render_template().
Also:
autoescaping is enabled for all strings when using
render_template_string().
Finally:
a template has the ability to opt in/out autoescaping with the
{% autoescape %}tag.
So, while jinja may not autoescape by default, flask turns on Jinja's autoescaping by default.