Do not autoescape all Jinja2 templates
this breaks pxe config rendering when e.g. quotes are needed (like for values with spaces), replacing them with HTML escape codes. Instead use smart autoescape which by default is only enabled for htm(l) and xml templates. Not specifically setting override for strings as we set the template name for string templates anyway, and matching goes by that name. https://jinja.palletsprojects.com/en/2.11.x/api/#autoescaping Change-Id: I27e63557d4bcd81d583c55315029425bec03fd98 Story: 2005791 Task: 39269
This commit is contained in:
Pavlo Shchelokovskyy
parent
cbeb1ff0b5
commit
d5c293a440
@ -472,7 +472,12 @@ def render_template(template, params, is_file=True):
|
||||
else:
|
||||
tmpl_name = 'template'
|
||||
loader = jinja2.DictLoader({tmpl_name: template})
|
||||
env = jinja2.Environment(loader=loader, autoescape=True)
|
||||
# NOTE(pas-ha) bandit does not seem to cope with such syntaxis
|
||||
# and still complains with B701 for that line
|
||||
# NOTE(pas-ha) not using default_for_string=False as we set the name
|
||||
# of the template above for strings too.
|
||||
env = jinja2.Environment(loader=loader, # nosec B701
|
||||
autoescape=jinja2.select_autoescape())
|
||||
tmpl = env.get_template(tmpl_name)
|
||||
return tmpl.render(params, enumerate=enumerate)
|
||||
|
||||
|
||||
@ -535,6 +535,15 @@ class JinjaTemplatingTestCase(base.TestCase):
|
||||
self.params,
|
||||
is_file=False))
|
||||
|
||||
def test_render_with_quotes(self):
|
||||
"""test jinja2 autoescaping for everything is disabled """
|
||||
self.expected = '"spam" ham'
|
||||
self.params = {'foo': '"spam"', 'bar': 'ham'}
|
||||
self.assertEqual(self.expected,
|
||||
utils.render_template(self.template,
|
||||
self.params,
|
||||
is_file=False))
|
||||
|
||||
@mock.patch('ironic.common.utils.jinja2.FileSystemLoader', autospec=True)
|
||||
def test_render_file(self, jinja_fsl_mock):
|
||||
path = '/path/to/template.j2'
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user