A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting.

Ensure that an untrusted value is not used to directly construct a template. Jinja also provides a SandboxedEnvironment that prohibits access to unsafe methods and attributes, that can be used if constructing a template from user input is absolutely necessary.

In the following case, template is used to generate a Jinja2 template string. This can lead to remote code execution.

The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

In the following case, user input is not used to construct the template; rather is only used for as the parameters to render the template, which is safe.

In the following case, a SandboxedEnvironment is used, preventing remote code execution.

Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)