forked from orbit-oss/flask
docs: `http://...`
This commit is contained in:
defuz
parent
974e144843
commit
7e157ee589
2 changed files with 4 additions and 4 deletions
|
|
@ -25,7 +25,7 @@ careful:
|
|||
- generating HTML without the help of Jinja2
|
||||
- calling :class:`~flask.Markup` on data submitted by users
|
||||
- sending out HTML from uploaded files, never do that, use the
|
||||
`Content-Disposition: attachment` header to prevent that problem.
|
||||
``Content-Disposition: attachment`` header to prevent that problem.
|
||||
- sending out textfiles from uploaded files. Some browsers are using
|
||||
content-type guessing based on the first few bytes so users could
|
||||
trick a browser to execute HTML.
|
||||
|
|
@ -71,7 +71,7 @@ application's users with social engineering to do stupid things without
|
|||
them knowing.
|
||||
|
||||
Say you have a specific URL that, when you sent ``POST`` requests to will
|
||||
delete a user's profile (say `http://example.com/user/delete`). If an
|
||||
delete a user's profile (say ``http://example.com/user/delete``). If an
|
||||
attacker now creates a page that sends a post request to that page with
|
||||
some JavaScript they just has to trick some users to load that page and
|
||||
their profiles will end up being deleted.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue