Skip to content

Commit

Permalink
Allow markup-ing literal strings (#3402)
Browse files Browse the repository at this point in the history
Literal strings in the application should be safe (similar to static
markup in template files), and the normal way to create dynamic markup
code side: create a properly marked up `Markup`, then `Markup.format`
user-defined content into it.
  • Loading branch information
xmo-odoo authored Jun 25, 2024
1 parent bc11077 commit 4ccd3b9
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ def markup_test():

playlist = request.args.get('p')
if playlist:
playlist = '"{0}"'.format(playlist.replace('\"', '\\\"').strip())
# ok: explicit-unescape-with-markup
playlist = Markup('"{0}"').format(playlist.replace('\"', '\\\"').strip())
else:
playlist = '""'
# ruleid: explicit-unescape-with-markup
return render_template('/markup.html', query=Markup(search_query), playlist=Markup(playlist))
return render_template('/markup.html', query=Markup(search_query), playlist=playlist)

@app.route('/markup_unescape')
def markup_unescape_test():
Expand All @@ -29,8 +30,10 @@ def markup_unescape_test():
@app.route('/markupsafe')
def markupsafe_test():
search_query = request.args.get('q')
# ok: explicit-unescape-with-markup
playlist = Markup("<i>empty</i>")
# ruleid: explicit-unescape-with-markup
return render_template('/markup-unescape.html', query=mkup(search_query))
return render_template('/markup-unescape.html', query=mkup(search_query), playlist=playlist)

@app.route('/good')
def good_test():
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,13 @@ rules:
- python
severity: WARNING
pattern-either:
- pattern: flask.Markup(...)
- pattern: flask.Markup.unescape(...)
- pattern: markupsafe.Markup(...)
- pattern: $MARKUPOBJ.unescape()
- patterns:
- pattern-either:
- pattern: flask.Markup($Q)
- pattern: markupsafe.Markup($Q)
- metavariable-pattern:
metavariable: $Q
patterns:
- pattern-not: '"..."'

0 comments on commit 4ccd3b9

Please sign in to comment.