zhenghaoz
commented
4 years ago Hi, thanks for your suggestion. However, since elements in items are restricted to digits. it's unnecessary to escape these variables. :D
Closed daghan closed 4 years ago
zhenghaoz
commented
4 years ago Hi, thanks for your suggestion. However, since elements in items are restricted to digits. it's unnecessary to escape these variables. :D
Hi there,
We have a free program analysis tool for Python based web projects, called Bento. While we were scanning GitHub projects for issues, your project triggered a warning for unescaped Jinja templates.
This is a tricky issue. By default, Flask auto-escapes any Jinja template file that ends with
.html,.htm,.xml, or.xhtml. Your template files end with the.jinjaextension so they won't be auto-escaped. This may lead to XSS attacks. (https://checks.bento.dev/en/latest/flake8-flask/unescaped-file-extension/)Looking at your code, you are passing
itemsandnicknamevariables torender_template()function. I didn't look carefully how you populate theg.user.nicknamevalue (so it is worth looking into that) but I went ahead and html-escaped theitemsvalue using the{{value|e}}pattern in Jinja. (https://jinja.palletsprojects.com/en/2.10.x/templates/#working-with-manual-escaping)Other than this, the code is really clean. Bento runs Flake8, Bandit and our custom checks and it didn't find anything else on your code. Feel free download and give Bento a try (https://bento.dev)