We will go back to one of our applications we built with flask, I modified the code to showcase the problem and I removed the DB connection, because in this example it is irrelevant
from flask import Flask,request, abort from flask import render_template app=Flask(__name__) @app.route('/') def attendance(): name = request.args.get('name', None) if name: return name else: return render_template('index.html', name="") app.run(debug = True)
the index.html template in the templates foder:
<title>Attendance Sheet</title> <form> Your Name:<input type="text" name = "name"> <br> <input type='submit' name='Submit' > </form>
Expected behavior:
And this is potentially what hacker could do:
<script>alert('boo')</script>
Now using Markupsafe:
from flask import Flask,request, abort from flask import render_template from markupsafe import escape app=Flask(__name__) @app.route('/') def attendance(): name = escape(request.args.get('name', None)) if name: return name else: return render_template('index.html', name="") app.run(debug = True)