Merge "Do not autoescape all Jinja2 templates"

ironic/common/utils.py

@@ -472,7 +472,12 @@ def render_template(template, params, is_file=True):
     else:
         tmpl_name = 'template'
         loader = jinja2.DictLoader({tmpl_name: template})
-    env = jinja2.Environment(loader=loader, autoescape=True)
+    # NOTE(pas-ha) bandit does not seem to cope with such syntaxis
+    # and still complains with B701 for that line
+    # NOTE(pas-ha) not using default_for_string=False as we set the name
+    # of the template above for strings too.
+    env = jinja2.Environment(loader=loader,  # nosec B701
+                             autoescape=jinja2.select_autoescape())
     tmpl = env.get_template(tmpl_name)
     return tmpl.render(params, enumerate=enumerate)
 

ironic/tests/unit/common/test_utils.py

@@ -535,6 +535,15 @@ class JinjaTemplatingTestCase(base.TestCase):
                                                self.params,
                                                is_file=False))
 
+    def test_render_with_quotes(self):
+        """test jinja2 autoescaping for everything is disabled """
+        self.expected = '"spam" ham'
+        self.params = {'foo': '"spam"', 'bar': 'ham'}
+        self.assertEqual(self.expected,
+                         utils.render_template(self.template,
+                                               self.params,
+                                               is_file=False))
+
     @mock.patch('ironic.common.utils.jinja2.FileSystemLoader', autospec=True)
     def test_render_file(self, jinja_fsl_mock):
         path = '/path/to/template.j2'