Michael Scherer of Red Hat reports: ipsilon does not escape HTML when processing templates.
Can you please be a little biut more specific ? As far as I know jinja2 escapes by default and I am not aware that we are using manual escaping anywhere.
Created ipsilon tracking bugs for this issue: Affects: fedora-all [bug 1255176]
Uhm re-reading jinja2 documentation 3 times I finally see they say the escaping is not enabled automatically now :-(
Acknowledgement: This issue was discovered by Michael Scherer of Red Hat.
Analysis: It was found that Ipsilon used default configuration of Jinja templating engine, which did not html escape template variables. This could be exploited to perform XSS attack if a value from untrusted input was used in the template that is rendered to the user`s browser.