chore(deps): [security] bump jinja2 from 3.1.2 to 3.1.3
Bumps jinja2 from 3.1.2 to 3.1.3. This update includes a security fix.
Vulnerabilities fixed
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter The
xmlattrfilter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of thexmlattrfilter, and an application doing so should already be verifying what keys are provided regardless of this fix.Patched versions: 3.1.3 Affected versions: < 3.1.3
Release notes
Sourced from jinja2's releases.
3.1.3
This is a fix release for the 3.1.x feature branch.
- Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using
xmlattrand passing user input as attribute keys.- Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-3
- Milestone: https://github.com/pallets/jinja/milestone/15?closed=1
Changelog
Sourced from jinja2's changelog.
Version 3.1.3
Released 2024-01-10
- Fix compiler error when checking if required blocks in parent templates are empty.
🇵🇷 1858xmlattrfilter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95- Make error messages stemming from invalid nesting of
{% trans %}blocks more helpful.🇵🇷 1918
Commits
-
d9de4bbrelease version 3.1.3 -
50124e1skip test pypi -
9ea7222use trusted publishing -
da703f7use trusted publishing -
bce1746use trusted publishing -
7277d80update pre-commit hooks -
5c8a105Make nested-trans-block exceptions nicer (#1918) -
19a55dbMake nested-trans-block exceptions nicer -
7167953Merge pull request from GHSA-h5c8-rqwp-cp95 -
7dd3680xmlattr filter disallows keys with spaces - Additional commits viewable in compare view