maya-chen/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

demonstrate escaping with query string

Browse source 
slash in value would be interpreted as a path separator in the URL
This commit is contained in:
Badhreesh 2025-05-21 20:35:11 +02:00 committed by David Lord
parent 7fea7cf156
commit 0f83958247
No known key found for this signature in database
GPG key ID: 43368A7AA8CC5926
1 changed files with 6 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/quickstart.rst
View file

@ -139,18 +139,16 @@ how you're using untrusted data.
.. code-block:: python .. code-block:: python
from flask import request
from markupsafe import escape from markupsafe import escape
@app.route("/<name>") @app.route("/hello")
def hello(name): def hello():
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!" return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``, If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
escaping causes it to be rendered as text, rather than running the it to be rendered as text, rather than running the script in the user's browser.
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
Routing Routing