fix(security): enable Jinja2 autoescape to prevent XSS in gepa sample

k4w1992-lgtm · k4w1992-lgtm · commit d20384352017 · 2026-04-28T20:15:10.000-07:00
CWE-79 (Cross-Site Scripting)

The gepa rater_lib.py instantiated jinja2.Environment() without autoescape=True,
allowing user_input and model_response to be rendered as raw HTML.

This fix:
- Enable autoescape=True in jinja2.Environment()
- Add explicit |e filters to {{user_input}} and {{model_response}} as defense-in-depth
diff --git a/contributing/samples/gepa/rater_lib.py b/contributing/samples/gepa/rater_lib.py
@@ -167,7 +167,7 @@ def __call__(self, messages: list[dict[str, Any]]) -> dict[str, Any]:
     Returns:
       A dictionary containing rating information including score.
     """
-    env = jinja2.Environment()
+    env = jinja2.Environment(autoescape=True)
     env.globals['user_input'] = (
         messages[0].get('parts', [{}])[0].get('text', '') if messages else ''
     )
diff --git a/contributing/samples/gepa/rubric_validation_template.txt b/contributing/samples/gepa/rubric_validation_template.txt
@@ -155,12 +155,12 @@ Verdict: no
   </available_tools>
 
   <main_prompt>
-  {{user_input}}
+  {{user_input|e}}
   </main_prompt>
 </user_prompt>
 
 <responses>
-{{model_response}}
+{{model_response|e}}
 </responses>
 
 <properties>

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ def __call__(self, messages: list[dict[str, Any]]) -> dict[str, Any]:`
`167`	`167`	`Returns:`
`168`	`168`	`A dictionary containing rating information including score.`
`169`	`169`	`"""`
`170`		`- env = jinja2.Environment()`
	`170`	`+ env = jinja2.Environment(autoescape=True)`
`171`	`171`	`env.globals['user_input'] = (`
`172`	`172`	`messages[0].get('parts', [{}])[0].get('text', '') if messages else ''`
`173`	`173`	`)`