fix: better Jinja2 Chat extension security

[anakin87]

Related Issues

• part of https://github.com/deepset-ai/haystack-private/issues/412

Proposed Changes:

• see https://github.com/deepset-ai/haystack-private/issues/412#issuecomment-4770683176

How did you test it?

CI, new tests
(some tests might be redundant but I chose to keep them to avoid future regressions)

Checklist

• I have read the contributors guidelines and the code of conduct.
• I have updated the related issue with new insights and changes.
• I have added unit tests and updated the docstrings.
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test: and added ! in case the PR includes breaking changes.
• I have documented my code.
• I have added a release note file, following the contributors guidelines.
• I have run pre-commit hooks and fixed any issue.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
haystack-docs	Ready	Preview, Comment	Jun 22, 2026 3:48pm

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
haystack/utils
jinja2_chat_extension.py					315
Project Total

This report was generated by python-coverage-comment-action

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[julian-risch]

Thanks @anakin87 ! Looks good to me. I briefly thought about whether we should handle the removal of START_TAG/END_TAG as a breaking change but I agree there is no good reason to do that. It's a fix that we can roll out in a next minor Haystack 2.x release.