A template from a server templating engine such as Jinja constructed from user input can allow the user to execute arbitrary code using certain template features. It can also allow for cross-site scripting.

Ensure that an untrusted value is not used to directly construct a template. Jinja also provides SandboxedEnvironment that prohibits access to unsafe methods and attributes. This can be used if constructing a template from user input is absolutely necessary.

In the following case, template is used to generate a Jinja2 template string. This can lead to remote code execution.

The following is an example of a string that could be used to cause remote code execution when interpreted as a template:

In the following case, user input is not used to construct the template. Instead, it is only used as the parameters to render the template, which is safe.

In the following case, a SandboxedEnvironment is used, preventing remote code execution.

Portswigger: Server-Side Template Injection.