From 472d33f3da5e9410d9fc4d2e50e154d0794a4885 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Mon, 29 Jul 2019 17:07:09 +0530
Subject: [PATCH] fix(security): Make Jinja Tighter

---
 frappe/utils/jinja.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frappe/utils/jinja.py b/frappe/utils/jinja.py
index 7a27fb3c3b..28e3b3d463 100644
--- a/frappe/utils/jinja.py
+++ b/frappe/utils/jinja.py
@@ -6,10 +6,11 @@ def get_jenv():
 	import frappe
 
 	if not getattr(frappe.local, 'jenv', None):
-		from jinja2 import Environment, DebugUndefined
+		from jinja2 import DebugUndefined
+		from jinja2.sandbox import SandboxedEnvironment
 
 		# frappe will be loaded last, so app templates will get precedence
-		jenv = Environment(loader = get_jloader(),
+		jenv = SandboxedEnvironment(loader = get_jloader(),
 			undefined=DebugUndefined)
 		set_filters(jenv)