From 9b5cc01b062d53a8eed8c1361313b886dd8f058f Mon Sep 17 00:00:00 2001
From: Kelvin Velasquez <vv22015@ues.edu.sv>
Date: Fri, 19 Dec 2025 13:23:51 -0600
Subject: [PATCH] fix(security): resolve B701 and B113 bandit issues (#3353)

Detailed changes:
- Enable autoescape=True for Jinja2 environment to prevent XSS (B701).
- Add timeout=15s to requests.get in nginx amp (B113).
- Add timeout=15s to post in restful export (B113).
---
 glances/amps/nginx/__init__.py              | 2 +-
 glances/exports/glances_restful/__init__.py | 2 +-
 glances/outputs/glances_stdout_fetch.py     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/glances/amps/nginx/__init__.py b/glances/amps/nginx/__init__.py
index 7aa43e13..3e878f70 100644
--- a/glances/amps/nginx/__init__.py
+++ b/glances/amps/nginx/__init__.py
@@ -66,7 +66,7 @@ class Amp(GlancesAmp):
         """Update the AMP"""
         # Get the Nginx status
         logger.debug('{}: Update stats using status URL {}'.format(self.NAME, self.get('status_url')))
-        res = requests.get(self.get('status_url'))
+        res = requests.get(self.get('status_url'), timeout=15)
         if res.ok:
             # u'Active connections: 1 \nserver accepts handled requests\n 1 1 1 \nReading: 0 Writing: 1 Waiting: 0 \n'
             self.set_result(res.text.rstrip())
diff --git a/glances/exports/glances_restful/__init__.py b/glances/exports/glances_restful/__init__.py
index 8f160e1b..8a421bdc 100644
--- a/glances/exports/glances_restful/__init__.py
+++ b/glances/exports/glances_restful/__init__.py
@@ -54,7 +54,7 @@ class Export(GlancesExport):
             # One complete loop have been done
             logger.debug(f"Export stats ({listkeys(self.buffer)}) to RESTful endpoint ({self.client})")
             # Export stats
-            post(self.client, json=self.buffer, allow_redirects=True)
+            post(self.client, json=self.buffer, allow_redirects=True, timeout=15)
             # Reset buffer
             self.buffer = {}
 
diff --git a/glances/outputs/glances_stdout_fetch.py b/glances/outputs/glances_stdout_fetch.py
index 400c7533..6a3c55a6 100644
--- a/glances/outputs/glances_stdout_fetch.py
+++ b/glances/outputs/glances_stdout_fetch.py
@@ -78,7 +78,7 @@ class GlancesStdoutFetch:
                 fetch_template = f.read()
 
         # Create a Jinja2 environment
-        jinja_env = jinja2.Environment(loader=jinja2.BaseLoader())
+        jinja_env = jinja2.Environment(loader=jinja2.BaseLoader(), autoescape=True)
         template = jinja_env.from_string(fetch_template)
         output = template.render(gl=self.gl)
         print(output)