[Security] Bump jinja2 from 3.1.2 to 3.1.3
Bumps jinja2 from 3.1.2 to 3.1.3. This update includes a security fix.
Vulnerabilities fixed
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The
xmlattr
filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of thexmlattr
filter, and an application doing so should already be verifying what keys are provided regardless of this fix.Patched versions: 3.1.3 Affected versions: < 3.1.3
Release notes
Sourced from jinja2's releases.
3.1.3
This is a fix release for the 3.1.x feature branch.
- Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using
xmlattr
and passing user input as attribute keys.- Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
- Milestone: https://github.com/pallets/jinja/milestone/15?closed=1
Changelog
Sourced from jinja2's changelog.
Version 3.1.3
Released 2024-01-10
- Fix compiler error when checking if required blocks in parent templates are empty.
🇵🇷 1858
xmlattr
filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95- Make error messages stemming from invalid nesting of
{% trans %}
blocks more helpful.🇵🇷 1918
Commits
-
d9de4bb
release version 3.1.3 -
50124e1
skip test pypi -
9ea7222
use trusted publishing -
da703f7
use trusted publishing -
bce1746
use trusted publishing -
7277d80
update pre-commit hooks -
5c8a105
Make nested-trans-block exceptions nicer (#1918) -
19a55db
Make nested-trans-block exceptions nicer -
7167953
Merge pull request from GHSA-h5c8-rqwp-cp95 -
7dd3680
xmlattr filter disallows keys with spaces - Additional commits viewable in compare view