use Sandbox Environment to render templates

cookbook/helper/template_helper.py

@@ -3,6 +3,8 @@ from gettext import gettext as _
 import bleach
 import markdown as md
 from jinja2 import Template, TemplateSyntaxError, UndefinedError
+from jinja2.exceptions import SecurityError
+from jinja2.sandbox import SandboxedEnvironment
 from markdown.extensions.tables import TableExtension
 
 from cookbook.helper.mdx_attributes import MarkdownFormatExtension
@@ -89,11 +91,13 @@ def render_instructions(step):  # TODO deduplicate markdown cleanup code
         return f"<scalable-number v-bind:number='{bleach.clean(str(number))}' v-bind:factor='ingredient_factor'></scalable-number>"
 
     try:
-        template = Template(instructions)
+        env = SandboxedEnvironment()
-        instructions = template.render(ingredients=ingredients, scale=scale)
+        instructions = env.from_string(instructions).render(ingredients=ingredients, scale=scale)
     except TemplateSyntaxError:
         return _('Could not parse template code.') + ' Error: Template Syntax broken'
     except UndefinedError:
         return _('Could not parse template code.') + ' Error: Undefined Error'
+    except SecurityError:
+        return _('Could not parse template code.') + ' Error: Security Error'
 
     return instructions