root
/
flask
mirror of https://github.com/pallets/flask.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge 6e064b3ff2 into f04c5e6964

This commit is contained in:
Badhreesh 2025-06-09 01:09:43 -07:00 committed by GitHub
parent f04c5e6964 6e064b3ff2
commit ca07265990
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/quickstart.rst
View File

@ -139,19 +139,22 @@ how you're using untrusted data.
.. code-block:: python
from flask import request
from markupsafe import escape
@app.route("/<name>")
def hello(name):
@app.route("/hello")
def hello():
name = request.args.get("name", "")
return f"Hello, {escape(name)}!"
If a user managed to submit the name ``<script>alert("bad")</script>``,
User input can be submitted to the view function via the URL as query parameters,
like ``/hello?name=Bob``. Refer :ref:`the-request-object` for information on how
the query parameters are accessed.
If a user managed to submit ``/hello?name=<script>alert("bad")</script>``,
escaping causes it to be rendered as text, rather than running the
script in the user's browser.
``<name>`` in the route captures a value from the URL and passes it to
the view function. These variable rules are explained below.
Routing
-------
@ -504,6 +507,8 @@ The other possibility is passing a whole WSGI environment to the
with app.request_context(environ):
assert request.method == 'POST'
.. _the-request-object:
The Request Object
``````````````````