Templating

bleach is an HTML sanitizer library. bleach.clean() strips dangerous tags and attributes — sanitizer for XSS flows. bleach.linkify() is also safe.

Third-party Python package module — chevron. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — docutils. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — fpdf. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The html module. html.escape() is the canonical XSS sanitizer for writing user input into HTML text content. html.unescape() does the inverse and should NOT be used on output paths.

Third-party Python package module — html5lib. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Jinja2 is the template engine behind Flask and many Python frameworks. Template(source).render() and Environment.from_string() evaluate template syntax — SSTI sink when the template source comes from user input. Autoescape only protects rendered output, not the template source itself.

Third-party Python package module — markdown. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — reportlab. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

string.Template and string.Formatter. Template($var) substitution is safe when placeholders are explicit. Formatter.format() with user-controlled format_spec is a format-string injection vector.

Third-party Python package module — webencodings. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.