Do not autoescape all Jinja2 templates

this breaks pxe config rendering when e.g. quotes are needed (like for values
with spaces), replacing them with HTML escape codes.

Instead use smart autoescape which by default is only enabled for
htm(l) and xml templates.
Not specifically setting override for strings as we set the template
name for string templates anyway, and matching goes by that name.
https://jinja.palletsprojects.com/en/2.11.x/api/#autoescaping

Change-Id: I27e63557d4bcd81d583c55315029425bec03fd98
Story: 2005791
Task: 39269
This commit is contained in:
Pavlo Shchelokovskyy 2020-04-02 08:24:08 +03:00
parent cbeb1ff0b5
commit d5c293a440
2 changed files with 15 additions and 1 deletions

View File

@ -472,7 +472,12 @@ def render_template(template, params, is_file=True):
else:
tmpl_name = 'template'
loader = jinja2.DictLoader({tmpl_name: template})
env = jinja2.Environment(loader=loader, autoescape=True)
# NOTE(pas-ha) bandit does not seem to cope with such syntaxis
# and still complains with B701 for that line
# NOTE(pas-ha) not using default_for_string=False as we set the name
# of the template above for strings too.
env = jinja2.Environment(loader=loader, # nosec B701
autoescape=jinja2.select_autoescape())
tmpl = env.get_template(tmpl_name)
return tmpl.render(params, enumerate=enumerate)

View File

@ -535,6 +535,15 @@ class JinjaTemplatingTestCase(base.TestCase):
self.params,
is_file=False))
def test_render_with_quotes(self):
"""test jinja2 autoescaping for everything is disabled """
self.expected = '"spam" ham'
self.params = {'foo': '"spam"', 'bar': 'ham'}
self.assertEqual(self.expected,
utils.render_template(self.template,
self.params,
is_file=False))
@mock.patch('ironic.common.utils.jinja2.FileSystemLoader', autospec=True)
def test_render_file(self, jinja_fsl_mock):
path = '/path/to/template.j2'