From e6087d5129cc9d0c24278948872377e66c2a2c20 Mon Sep 17 00:00:00 2001 From: vabene1111 Date: Tue, 26 Nov 2024 17:18:47 +0100 Subject: [PATCH] use Sandbox Environment to render templates --- cookbook/helper/template_helper.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cookbook/helper/template_helper.py b/cookbook/helper/template_helper.py index 4db1f5bcb..339a35d79 100644 --- a/cookbook/helper/template_helper.py +++ b/cookbook/helper/template_helper.py @@ -3,6 +3,8 @@ from gettext import gettext as _ import bleach import markdown as md from jinja2 import Template, TemplateSyntaxError, UndefinedError +from jinja2.exceptions import SecurityError +from jinja2.sandbox import SandboxedEnvironment from markdown.extensions.tables import TableExtension from cookbook.helper.mdx_attributes import MarkdownFormatExtension @@ -89,11 +91,13 @@ def render_instructions(step): # TODO deduplicate markdown cleanup code return f"" try: - template = Template(instructions) - instructions = template.render(ingredients=ingredients, scale=scale) + env = SandboxedEnvironment() + instructions = env.from_string(instructions).render(ingredients=ingredients, scale=scale) except TemplateSyntaxError: return _('Could not parse template code.') + ' Error: Template Syntax broken' except UndefinedError: return _('Could not parse template code.') + ' Error: Undefined Error' + except SecurityError: + return _('Could not parse template code.') + ' Error: Security Error' return instructions