From a0e833ba690bfe43b28286167cc0030f930039ce Mon Sep 17 00:00:00 2001
From: Andrew Garrett <andrew@werdn.us>
Date: Fri, 6 Feb 2026 19:07:54 +1100
Subject: [PATCH] Enable Jinja2 autoescaping (#200)

- Enable Jinja2 autoescape by default in the template environment.
- Use json.dumps to safely inject sso_name into JavaScript context.
- Fix linting issue (line too long) in injected_auth_page.py.
- Update tests to verify escaping and safe injection.

---------

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: werdnum <271070+werdnum@users.noreply.github.com>
---
 custom_components/auth_oidc/views/loader.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/custom_components/auth_oidc/views/loader.py b/custom_components/auth_oidc/views/loader.py
index eba1ff4..27208ec 100644
--- a/custom_components/auth_oidc/views/loader.py
+++ b/custom_components/auth_oidc/views/loader.py
@@ -54,7 +54,9 @@ class AsyncTemplateRenderer:
         if template_name not in templates:
             raise ValueError(f"Template '{template_name}' not found.")
 
-        env = Environment(loader=DictLoader(templates), enable_async=True)
+        env = Environment(
+            loader=DictLoader(templates), enable_async=True, autoescape=True
+        )
         template = env.get_template(template_name)
 
         # Render template