fix(security): enable Jinja2 autoescape to prevent XSS in gepa sample

[k4w1992-lgtm]

Security Fix: XSS via Jinja2 Template Injection (CWE-79)

Vulnerability

contributing/samples/gepa/rater_lib.py instantiates jinja2.Environment() without autoescape=True. The companion template rubric_validation_template.txt renders {{user_input}} and {{model_response}} without escaping.

Impact

Since ADK is Google's official framework for building AI agents, developers copy/adapt this sample code into production web applications. Unescaped user-controlled input in Jinja2 templates enables:

• Cross-Site Scripting (XSS) — Arbitrary JavaScript execution in browsers
• Session Hijacking — Steal cookies/tokens if rendered in web context
• Phishing — Inject fake login forms

Proof of Concept

# user_input: <script>alert("XSS")</script>
# Renders as: <main_prompt><script>alert("XSS")</script></main_prompt>

# model_response: <img src=x onerror=alert("XSS from model")>
# Renders as: <responses><img src=x onerror=alert("XSS from model")></responses>

Changes

1. rater_lib.py:170 — jinja2.Environment() → jinja2.Environment(autoescape=True)
2. rubric_validation_template.txt:158 — {{user_input}} → {{user_input|e}}
3. rubric_validation_template.txt:163 — {{model_response}} → {{model_response|e}}

Defense in depth: autoescape=True provides baseline protection, explicit |e filters ensure escaping even if autoescape is later disabled.

References

• CWE-79: Cross-site Scripting (XSS)
• OWASP A7:2017 — Cross-site Scripting
• Jinja2 docs: https://jinja.palletsprojects.com/en/3.1.x/api/#autoescaping

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[k4w1992-lgtm]

I have signed the Google CLA. Please re-check.