Reading Flask Documentation

So Reading the Flask docs at the moment and i came across this…

If a user managed to submit the name <script>alert("bad")</script>

am i correct in thinking that this would allow you to see the script as the code rather than running it?

and how would one go about testing this isn’t possible?

https://flask.palletsprojects.com/en/2.0.x/quickstart/#html-escaping

Yes.

If those script tags were inserted into an html file as they are, the browser would parse them as a script element and run the code inside the tags. You don’t want that, because that would basically allow your users to run any JavaScript they like on your site.

What escaping does is replace any characters that have special meaning in html (like < and > that open and close html tags) by their corresponding escape sequences.

<script>doBadThings()</script>

becomes

&lt;script&gt;doBadThings()&lt;&sol;script&gt;

and here the browser doesn’t recognize any tags, so bad things don’t happen (unless you count this gibberish being printed on the page as bad things happening).

Whenever you handle strings that you get from your users, you have to do this. It’s even more important when you’re passing user input to some database, because otherwise your users could potentially obliterate all your data by sending you a string like "DROP TABLE". There are lots of jokes about that one…

Well, if you have some form where your input gets printed on the page on submit, try submitting <script>alert("boom")</script>. If you get a pop-up saying “boom”, then escaping doesn’t work. If it just gets printed as you typed it, then it works.

Great explanation!! Thank you, it seams the way the course teaches us to implement flask with layouts automatically does this, which is great.

But this is great to know, if i ever have to implement without a layout, also thanks for the read in regards to ‘Drop Table’. sql injection seams to be the same situation if your not careful with user input.

Happy to help. Actually my explanation wasn’t quite correct. Of course the gibberish won’t render like that on the page: The browser transforms the escape sequences back into the original symbols after parsing the tree.