Skip to content

[Security] Bump jinja2 from 3.1.2 to 3.1.3

HIFIS Bot requested to merge dependabot-pip-jinja2-3.1.3 into main

Bumps jinja2 from 3.1.2 to 3.1.3. This update includes a security fix.

Vulnerabilities fixed

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The xmlattr filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the xmlattr filter, and an application doing so should already be verifying what keys are provided regardless of this fix.

Patched versions: 3.1.3 Affected versions: < 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. 🇵🇷1858
  • xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. 🇵🇷1918
Commits

Merge request reports

Loading