Open Scott3142 opened 3 years ago
So turns out that Flask will use the Jinja2 template to do a lot of the heavy lifting to protect from XSS. I just looked at Documentation to check: https://flask-doc.readthedocs.io/en/latest/security.html, if you're interested.
When using Flask with Jinja2 templates it automatically is set to escape the HTML for us. Also by adding quote marks around Jinja expressions works in this way too- if you did <td><a href="/delete/{{ 'game.id '}}" </td>
.
Also yep for the DB connection, SQLAlchemy helps with that, some aspects of protection against SQL injection is implicit.
Obviously, in a larger application with sensitive data, I wouldn't rely solely on frameworks/templates to automatically protect against every kind of attack. They don't cover it all and do have a lot of their own vulnerabilities themselves, but for this simple app, it seems to do the trick!
Interesting! 😃
I tried a bit of XSS scripting (by putting something like
<script> alert("You have been hacked!"); </script>
in your user input fields), but the inputs seem to be sanitized appropriately, Do you know for sure that they are?I'm generally familiar with Flask but I've never used it with a db connection like you have here. It might be implicit, but it's worth checking you don't leave yourself open to any injection attacks. Happy to chat it through with you if you're interested, but I think you probably know more than me about this code!