From 0f83958247e9eab1c7f62903601dfd5fe10c640f Mon Sep 17 00:00:00 2001
From: Badhreesh <rao@grandperspective.de>
Date: Wed, 21 May 2025 20:35:11 +0200
Subject: [PATCH] demonstrate escaping with query string

slash in value would be interpreted as a path separator in the URL
---
 docs/quickstart.rst | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/docs/quickstart.rst b/docs/quickstart.rst
index f763bb1e..dde45728 100644
--- a/docs/quickstart.rst
+++ b/docs/quickstart.rst
@@ -139,18 +139,16 @@ how you're using untrusted data.
 
 .. code-block:: python
 
+    from flask import request
     from markupsafe import escape
 
-    @app.route("/<name>")
-    def hello(name):
+    @app.route("/hello")
+    def hello():
+        name = request.args.get("name", "Flask")
         return f"Hello, {escape(name)}!"
 
-If a user managed to submit the name ``<script>alert("bad")</script>``,
-escaping causes it to be rendered as text, rather than running the
-script in the user's browser.
-
-``<name>`` in the route captures a value from the URL and passes it to
-the view function. These variable rules are explained below.
+If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
+it to be rendered as text, rather than running the script in the user's browser.
 
 
 Routing