Currently I'm putting together a deliberately vulnerable vm network for a training environment to do an exploitation and follow-on patch objective for my team. One of the vulnerabilities I'm looking to demonstrate is Server Side Template Injection via (django/jinja2) on a simple "blog" page with absolutely no filter on user input. The intake is working perfectly and storing in the sqlite db with no issues looking exactly as expected, however the problem is displaying this unsanitized user input. In fact, even while actively trying to force django to not escape or filter it continues to only display the plaintext entered by the user rather than interpret it as template tagging properly.
The Rendered Output:
The Template Itself:
And finally the views.py rendering it:
For reference I am using Python version 3.9.10, and Django version 4.0.6. Is there a way to force the behavior I'm looking for or will I have to go in search of an older version without these protections and start over on the backend work?