orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move html escaping to dedicated section

Browse source
This commit is contained in:
David Lord 2020-04-02 12:41:35 -07:00
parent 56e75eace5
commit 57f9623b08
No known key found for this signature in database
GPG key ID: 7A1C87E3F5BC42A8
1 changed files with 31 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

42
docs/quickstart.rst
View file

@ -168,6 +168,34 @@ documentation`_.
Have another debugger in mind? See :ref:`working-with-debuggers`. Have another debugger in mind? See :ref:`working-with-debuggers`.
HTML Escaping
-------------
When returning HTML (the default response type in Flask), any
user-provided values rendered in the output must be escaped to protect
from injection attacks. HTML templates rendered with Jinja, introduced
later, will do this automatically.
:func:`~markupsafe.escape`, shown here, can be used manually. It is
omitted in most examples for brevity, but you should always be aware of
how you're using untrusted data.
.. code-block:: python
from markupsafe import escape
@app.route("/<name>")
def hello(name):
return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``,
escaping causes it to be rendered as text, rather than running the
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
Routing Routing
------- -------
@ -201,17 +229,17 @@ of the argument like ``<converter:variable_name>``. ::
@app.route('/user/<username>') @app.route('/user/<username>')
def show_user_profile(username): def show_user_profile(username):
# show the user profile for that user # show the user profile for that user
return f'User {escape(username)}' return f'User {username}'
@app.route('/post/<int:post_id>') @app.route('/post/<int:post_id>')
def show_post(post_id): def show_post(post_id):
# show the post with the given id, the id is an integer # show the post with the given id, the id is an integer
return f'Post {escape(post_id)}' return f'Post {post_id}'
@app.route('/path/<path:subpath>') @app.route('/path/<path:subpath>')
def show_subpath(subpath): def show_subpath(subpath):
# show the subpath after /path/ # show the subpath after /path/
return f'Subpath {escape(subpath)}' return f'Subpath {subpath}'
Converter types: Converter types:
@ -223,14 +251,6 @@ Converter types:
``uuid`` accepts UUID strings ``uuid`` accepts UUID strings
========== ========================================== ========== ==========================================
.. note:: HTML escaping
When returning HTML (the default response type in Flask), any user
input rendered in the output must be escaped to protect from
injection attacks. HTML templates in Jinja, introduced later, will
do this automatically. :func:`~markupsafe.escape`, shown above, can
be used manually.
Unique URLs / Redirection Behavior Unique URLs / Redirection Behavior
`````````````````````````````````` ``````````````````````````````````