root
/
flask
mirror of https://github.com/pallets/flask.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Docs: Fix escaping in HTML escaping example (#5742)

This commit is contained in:
David Lord 2025-08-18 10:20:06 -07:00 committed by GitHub
parent 7fea7cf156 0f83958247
commit c56c5ec7c4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/quickstart.rst
View File

@ -139,18 +139,16 @@ how you're using untrusted data.
.. code-block:: python
from flask import request
from markupsafe import escape
@app.route("/<name>")
def hello(name):
@app.route("/hello")
def hello():
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``,
escaping causes it to be rendered as text, rather than running the
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
it to be rendered as text, rather than running the script in the user's browser.
Routing