From 8b9ac54451daa1604124fddc716d74610d5bd73f Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Sep 08 2015 13:11:58 +0000
Subject: Enable auto-escaping templates


This will prevent most cases of insertion of HTML or other
code into the generated HTML.

Fixes: CVE-2015-5215

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipsilon/ipsilon b/ipsilon/ipsilon
index a0cc158..bec13af 100755
--- a/ipsilon/ipsilon
+++ b/ipsilon/ipsilon
@@ -60,7 +60,9 @@ else:
 template_loaders.append(FileSystemLoader(
     os.path.join(cherrypy.config['base.dir'],
                  default_template_dir)))
-template_env = Environment(loader=ChoiceLoader(template_loaders))
+template_env = Environment(loader=ChoiceLoader(template_loaders),
+                           autoescape=True,
+                           extensions=['jinja2.ext.autoescape'])
 
 if __name__ == "__main__":
     conf = {'/': {'tools.staticdir.root': os.getcwd()},