fix: enable Jinja2 autoescape to resolve Bandit B701 (CWE-94)

alchemystack · alchemystack · commit cc7307847115 · 2026-03-29T16:12:25.000+02:00
Use select_autoescape() in the build command's Jinja2 Environment to
satisfy the jinja2_autoescape_false security check. This enables HTML
escaping only for .html/.htm/.xml extensions, leaving YAML and .env
templates functionally unchanged.
diff --git a/src/qr_sampler/cli/build_cmd.py b/src/qr_sampler/cli/build_cmd.py
@@ -81,7 +81,7 @@ def _render_template(template_name: str, context: dict[str, Any]) -> str:
         Rendered string.
     """
     try:
-        from jinja2 import Environment, FileSystemLoader
+        from jinja2 import Environment, FileSystemLoader, select_autoescape
     except ImportError as exc:
         raise click.ClickException(
             "The 'build' command requires Jinja2. Install with: pip install qr-sampler[cli]"
@@ -90,6 +90,7 @@ def _render_template(template_name: str, context: dict[str, Any]) -> str:
     templates_dir = _resolve_templates_dir()
     env = Environment(
         loader=FileSystemLoader(str(templates_dir)),
+        autoescape=select_autoescape(),
         keep_trailing_newline=True,
         trim_blocks=True,
         lstrip_blocks=True,
