You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The code in the Quickstart's HTML Escaping section does not render name=<script>alert("bad")</script> to text because the slash in </script> gets interpreted as a trailing slash, leading to a 404.
Getting the name as a query parameter instead allows:
the script tag to be rendered as text if HTML escaping is done
the alert in the script tag to be executed if HTML escaping is not done.
@davidism, I realized that for docs changes I should've made the PR from the stable branch. I've closed the previous PR and made a new one pointing to the correct branch.
I wonder if there's a way to demonstrate the issue using the existing url, rather than changing to the path type, which doesn't really make sense in this context. Either using something like <img> that doesn't require a closing tag, or taking the argument from request.args?
I wonder if there's a way to demonstrate the issue using the existing url, rather than changing to the path type, which doesn't really make sense in this context. Either using something like <img> that doesn't require a closing tag, or taking the argument from request.args?
I agree. Since the emphasis on escaping is to prevent the execution of scripts, I went ahead with using request.args to ensure correct demonstration of the issue.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The code in the Quickstart's HTML Escaping section does not render name=<script>alert("bad")</script> to text because the slash in </script> gets interpreted as a trailing slash, leading to a 404.
Getting the name as a query parameter instead allows: