how does jinja2 prevent XSS attacks?

2
votes

According to the Jinja2 docs Link, it provides:

powerful automatic HTML escaping system for XSS prevention

According to the Flask docs, it prevents XSS attacks by configuring Jinja2 to automatically escape all values unless explicitly told otherwise. So does Jinja2 do anything on its own to prevent XSS attacks?

1
xssjinja2

1 Answers

2
votes

by default, everything flask outputs via jinja2 is HTML escaped so that even if you display a user generated string it is guaranteed not to contain any malicious javascript/html codes.

see more here