Skip to content

fix(security): enable Jinja2 autoescape to prevent XSS in gepa sample#5526

Open
k4w1992-lgtm wants to merge 2 commits intogoogle:mainfrom
k4w1992-lgtm:fix/jinja2-xss-autoescape
Open

fix(security): enable Jinja2 autoescape to prevent XSS in gepa sample#5526
k4w1992-lgtm wants to merge 2 commits intogoogle:mainfrom
k4w1992-lgtm:fix/jinja2-xss-autoescape

Conversation

@k4w1992-lgtm
Copy link
Copy Markdown

@k4w1992-lgtm k4w1992-lgtm commented Apr 28, 2026

Security Fix: XSS via Jinja2 Template Injection (CWE-79)

Vulnerability

contributing/samples/gepa/rater_lib.py instantiates jinja2.Environment() without autoescape=True. The companion template rubric_validation_template.txt renders {{user_input}} and {{model_response}} without escaping.

Impact

Since ADK is Google's official framework for building AI agents, developers copy/adapt this sample code into production web applications. Unescaped user-controlled input in Jinja2 templates enables:

  • Cross-Site Scripting (XSS) — Arbitrary JavaScript execution in browsers
  • Session Hijacking — Steal cookies/tokens if rendered in web context
  • Phishing — Inject fake login forms

Proof of Concept

# user_input: <script>alert("XSS")</script>
# Renders as: <main_prompt><script>alert("XSS")</script></main_prompt>

# model_response: <img src=x onerror=alert("XSS from model")>
# Renders as: <responses><img src=x onerror=alert("XSS from model")></responses>

Changes

  1. rater_lib.py:170jinja2.Environment()jinja2.Environment(autoescape=True)
  2. rubric_validation_template.txt:158{{user_input}}{{user_input|e}}
  3. rubric_validation_template.txt:163{{model_response}}{{model_response|e}}

Defense in depth: autoescape=True provides baseline protection, explicit |e filters ensure escaping even if autoescape is later disabled.

References

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 28, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@k4w1992-lgtm
Copy link
Copy Markdown
Author

k4w1992-lgtm commented Apr 28, 2026

I have signed the Google CLA. Please re-check.

@k4w1992-lgtm k4w1992-lgtm force-pushed the fix/jinja2-xss-autoescape branch 2 times, most recently from 7a9cb7f to d203843 Compare April 28, 2026 20:15
@k4w1992-lgtm
fix(security): enable Jinja2 autoescape to prevent XSS in gepa sample
d203843 
CWE-79 (Cross-Site Scripting)

The gepa rater_lib.py instantiated jinja2.Environment() without autoescape=True,
allowing user_input and model_response to be rendered as raw HTML.

This fix:
- Enable autoescape=True in jinja2.Environment()
- Add explicit |e filters to {{user_input}} and {{model_response}} as defense-in-depth
@rohityan rohityan self-assigned this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rohityan rohityan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k4w1992-lgtm @rohityan