set jinja2 autoescape for html/xml templates (#1219)

vincentsarago · web-flow · commit cb65fed106eb · 2025-09-15T13:24:24.000+02:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -2,10 +2,12 @@
 
 ## Unreleased
 
-### Misc
+## Misc
 
+* enable `jinja2.autoescape` for HTML/XML templates (ref: https://jinja.palletsprojects.com/en/stable/api/#autoescaping)
 * remove python 3.9 support
 
+
 ## 0.23.1 (2025-08-27)
 
 ### titiler.core
diff --git a/src/titiler/core/titiler/core/factory.py b/src/titiler/core/titiler/core/factory.py
@@ -92,7 +92,8 @@
 from titiler.core.utils import bounds_to_geometry, render_image
 
 jinja2_env = jinja2.Environment(
-    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])
+    autoescape=jinja2.select_autoescape(["html", "xml"]),
+    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),
 )
 DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)
 
diff --git a/src/titiler/core/titiler/core/templating/__init__.py b/src/titiler/core/titiler/core/templating/__init__.py
@@ -16,7 +16,8 @@
 
 
 jinja2_env = jinja2.Environment(
-    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "html")])
+    autoescape=jinja2.select_autoescape(["html"]),
+    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "html")]),
 )
 DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)
 
diff --git a/src/titiler/extensions/titiler/extensions/viewer.py b/src/titiler/extensions/titiler/extensions/viewer.py
@@ -9,7 +9,8 @@
 from titiler.core.factory import FactoryExtension, TilerFactory
 
 jinja2_env = jinja2.Environment(
-    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])
+    autoescape=jinja2.select_autoescape(["html"]),
+    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),
 )
 DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)
 
diff --git a/src/titiler/extensions/titiler/extensions/wms.py b/src/titiler/extensions/titiler/extensions/wms.py
@@ -24,7 +24,8 @@
 from titiler.core.resources.enums import ImageType, MediaType
 
 jinja2_env = jinja2.Environment(
-    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])
+    autoescape=jinja2.select_autoescape(["xml"]),
+    loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),
 )
 DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)
 

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,8 @@`
`92`	`92`	`from titiler.core.utils import bounds_to_geometry, render_image`
`93`	`93`
`94`	`94`	`jinja2_env = jinja2.Environment(`
`95`		`- loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])`
	`95`	`+ autoescape=jinja2.select_autoescape(["html", "xml"]),`
	`96`	`+ loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),`
`96`	`97`	`)`
`97`	`98`	`DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)`
`98`	`99`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,8 @@`
`16`	`16`
`17`	`17`
`18`	`18`	`jinja2_env = jinja2.Environment(`
`19`		`- loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "html")])`
	`19`	`+ autoescape=jinja2.select_autoescape(["html"]),`
	`20`	`+ loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "html")]),`
`20`	`21`	`)`
`21`	`22`	`DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)`
`22`	`23`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@`
`9`	`9`	`from titiler.core.factory import FactoryExtension, TilerFactory`
`10`	`10`
`11`	`11`	`jinja2_env = jinja2.Environment(`
`12`		`- loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])`
	`12`	`+ autoescape=jinja2.select_autoescape(["html"]),`
	`13`	`+ loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),`
`13`	`14`	`)`
`14`	`15`	`DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)`
`15`	`16`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,8 @@`
`24`	`24`	`from titiler.core.resources.enums import ImageType, MediaType`
`25`	`25`
`26`	`26`	`jinja2_env = jinja2.Environment(`
`27`		`- loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")])`
	`27`	`+ autoescape=jinja2.select_autoescape(["xml"]),`
	`28`	`+ loader=jinja2.ChoiceLoader([jinja2.PackageLoader(__package__, "templates")]),`
`28`	`29`	`)`
`29`	`30`	`DEFAULT_TEMPLATES = Jinja2Templates(env=jinja2_env)`
`30`	`31`