root
/
flask
mirror of https://github.com/pallets/flask.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Docs: Fix escaping in HTML escaping example (#5742)

This commit is contained in:
David Lord 2025-08-18 10:20:06 -07:00 committed by GitHub
parent 7fea7cf156 0f83958247
commit c56c5ec7c4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/quickstart.rst
View File

@ -139,18 +139,16 @@ how you're using untrusted data.
.. code-block:: python .. code-block:: python
from flask import request
from markupsafe import escape from markupsafe import escape
@app.route("/<name>") @app.route("/hello")
def hello(name): def hello():
name = request.args.get("name", "Flask")
return f"Hello, {escape(name)}!" return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``, If a user submits ``/hello?name=<script>alert("bad")</script>``, escaping causes
escaping causes it to be rendered as text, rather than running the it to be rendered as text, rather than running the script in the user's browser.
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
Routing Routing