xss-request-parameter-reflected-in-response¶

Reflecting user-controlled input in the response to the frontend of an application can lead to XSS vulnerabilities if the response is not being safely encoded or the input is not being sanitized and scrubbed of dangerous characters.

Flask does not always output encode by default, so passing user-controlled values directly from a request to the reponse can lead to XSS vulnerabilities. When a template filename with the correct filetype suffix is included, flask will properly encode the ouput to make it safe.

Examples¶

Insecure Example

Python

from flask import make_response, request
app = Flask(__name__)

@app.route("/index")
def index():
    username = request.args.get("username")
    make_response("Hello World from {}".format(username))

Secure Example

Python

from flask import Flask, render_template
app = Flask(__name__)

@app.route("/index")
def index():
    username = request.args.get("username") # Arbitrary user input
    # Because the template filename with *.html it WILL be correctly escaped!
    return render_template("index.html", page=page)