make-response-with-unknown-content
Be careful with flask.make_response()
. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. flask.make_response()
will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use flask.render_template()
which will take care of escaping. If you are returning data from an API, consider using flask.jsonify()
.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
make-response-with-unknown-content
Be careful with flask.make_response()
. If this response is rendered onto a webpage, this could create a cross-site scripting (XSS) vulnerability. flask.make_response()
will not autoescape HTML. If you are rendering HTML, write your HTML in a template file and use flask.render_template()
which will take care of escaping. If you are returning data from an API, consider using flask.jsonify()
.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection