By default, Mako will not sanitize or escape input to templates.
This leaves rendered templates open to XSS and other vulnerabilities.
Mako offers the ability to sanitize with filters. However, no filters are applied by default.
This flaw applies to templates constructed generically:
from mako.template import Template
t = Template("<html><body> Hello ${ person }</body></html>")
t.render(person="<script type='javascript'>alert('I am an XSS flaw!')</script>")
default_filters=['h'] on the Template constructor, or${ variable | h } filter inline for every variable