We have a free program analysis tool for Python based web projects, called Bento. While we were scanning GitHub projects for issues, your project triggered a warning for unescaped Jinja templates.
This is a tricky issue. By default, Flask auto-escapes any Jinja template file that ends with .html, .htm, .xml, or .xhtml. Your template files end with the .jinja extension so they won't be auto-escaped. This may lead to XSS attacks. (https://checks.bento.dev/en/latest/flake8-flask/unescaped-file-extension/)
Looking at your code, you are passing items and nickname variables to render_template() function. I didn't look carefully how you populate the g.user.nickname value (so it is worth looking into that) but I went ahead and html-escaped the items value using the {{value|e}} pattern in Jinja. (https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping)
Other than this, the code is really clean. Bento runs Flake8, Bandit and our custom checks and it didn't find anything else on your code. Feel free download and give Bento a try (https://bento.dev)
Hi there,
We have a free program analysis tool for Python based web projects, called Bento. While we were scanning GitHub projects for issues, your project triggered a warning for unescaped Jinja templates.
This is a tricky issue. By default, Flask auto-escapes any Jinja template file that ends with
.html
,.htm
,.xml
, or.xhtml
. Your template files end with the.jinja
extension so they won't be auto-escaped. This may lead to XSS attacks. (https://checks.bento.dev/en/latest/flake8-flask/unescaped-file-extension/)Looking at your code, you are passing
items
andnickname
variables torender_template()
function. I didn't look carefully how you populate theg.user.nickname
value (so it is worth looking into that) but I went ahead and html-escaped theitems
value using the{{value|e}}
pattern in Jinja. (https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping)Other than this, the code is really clean. Bento runs Flake8, Bandit and our custom checks and it didn't find anything else on your code. Feel free download and give Bento a try (https://bento.dev)