Michael Scherer of Red Hat reports:
ipsilon does not escape HTML when processing templates.
Can you please be a little biut more specific ?
As far as I know jinja2 escapes by default and I am not aware that we are using manual escaping anywhere.
Created ipsilon tracking bugs for this issue:
Affects: fedora-all [bug 1255176]
Uhm re-reading jinja2 documentation 3 times I finally see they say the escaping is not enabled automatically now :-(
This issue was discovered by Michael Scherer of Red Hat.
It was found that Ipsilon used default configuration of Jinja templating engine, which did not html escape template variables. This could be exploited to perform XSS attack if a value from untrusted input was used in the template that is rendered to the user`s browser.