maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

demonstrate escaping with query string

Browse source 
slash in value would be interpreted as a path separator in the URL
This commit is contained in:
Badhreesh 2025-05-21 20:35:11 +02:00 committed by David Lord
parent 7fea7cf156
commit 0f83958247
No known key found for this signature in database
GPG key ID: 43368A7AA8CC5926
1 changed files with 6 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/quickstart.rst
View file

@ -139,18 +139,16 @@ how you're using untrusted data.
.. code-block:: python
from flask import request
from markupsafe import escape
@app.route("/<name>")
def hello(name):
@app.route("/hello")
def hello():
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``,
escaping causes it to be rendered as text, rather than running the
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
it to be rendered as text, rather than running the script in the user's browser.
Routing