27eea75f3c
Adds plugin to warn on Mako templates. Since mako does not have template wide autoescaping (that we can verify is turned on), a developer is responsible to escape each variable individually in the templates. This is higher than info because the *only* way to escape is via the variables, but not set to ERROR because we can't know for sure if any of those variables are used and/or malicious. Also add an XSS profile. Change-Id: I65515f9584d67d8b7b58b71b6ddb447c307675d1
12 lines
292 B
Python
12 lines
292 B
Python
from mako.template import Template
|
|
import mako
|
|
|
|
from mako import template
|
|
|
|
Template("hello")
|
|
|
|
# XXX(fletcher): for some reason, bandit is missing the one below. keeping it
|
|
# in for now so that if it gets fixed inadvertitently we know.
|
|
mako.template.Template("hern")
|
|
template.Template("hern")
|