mirror of https://github.com/pallets/flask.git
Compare commits
8 Commits
60dae2edf4
...
ca07265990
| Author | SHA1 | Date |
|---|---|---|
Badhreesh
|
ca07265990 | |
|
Badhreesh
|
6e064b3ff2 | |
|
Badhreesh
|
d4390442b7 | |
|
Badhreesh
|
ac00a998a3 | |
|
Badhreesh
|
5e3031e189 | |
|
Badhreesh
|
c8d80f690b | |
|
Badhreesh
|
d47ede1540 | |
|
Badhreesh
|
0f2004c9e6 |
|
|
@ -139,19 +139,22 @@ how you're using untrusted data.
|
|||
|
||||
.. code-block:: python
|
||||
|
||||
from flask import request
|
||||
from markupsafe import escape
|
||||
|
||||
@app.route("/<name>")
|
||||
def hello(name):
|
||||
@app.route("/hello")
|
||||
def hello():
|
||||
name = request.args.get("name", "")
|
||||
return f"Hello, {escape(name)}!"
|
||||
|
||||
If a user managed to submit the name ``<script>alert("bad")</script>``,
|
||||
User input can be submitted to the view function via the URL as query parameters,
|
||||
like ``/hello?name=Bob``. Refer :ref:`the-request-object` for information on how
|
||||
the query parameters are accessed.
|
||||
|
||||
If a user managed to submit ``/hello?name=<script>alert("bad")</script>``,
|
||||
escaping causes it to be rendered as text, rather than running the
|
||||
script in the user's browser.
|
||||
|
||||
``<name>`` in the route captures a value from the URL and passes it to
|
||||
the view function. These variable rules are explained below.
|
||||
|
||||
|
||||
Routing
|
||||
-------
|
||||
|
|
@ -504,6 +507,8 @@ The other possibility is passing a whole WSGI environment to the
|
|||
with app.request_context(environ):
|
||||
assert request.method == 'POST'
|
||||
|
||||
.. _the-request-object:
|
||||
|
||||
The Request Object
|
||||
``````````````````
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue