python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
Community Favorite
semgrep
Author
81,861
Download Count*
License
Detected a segment of a Flask template where autoescaping is explicitly disabled with '| safe' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: template-unescaped-with-safe
message: Detected a segment of a Flask template where autoescaping is explicitly
disabled with '| safe' filter. This allows rendering of raw HTML in this
segment. Ensure no user data is rendered here, otherwise this is a
cross-site scripting (XSS) vulnerability.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss
category: security
technology:
- flask
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
paths:
include:
- "*.html"
severity: WARNING
pattern-regex: "{{.*?\\|\\s*safe(\\s*}})?"
Examples
template-unescaped-with-safe.html
{% extends "container.html" %}
{% block opengraph %}
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="website" />
<meta property="og:site_name" content="semgrep" />
<meta property="og:description" content="content" />
<!-- ruleid: template-unescaped-with-safe -->
<meta property="og:image" content="{{ url_for('static', filename='picture.jpg', _external=True) | safe }}" />
<meta property="og:image:type" content="image/jpeg" />
<meta property="og:image:width" content="600" />
<meta property="og:image:height" content="600" />
<!-- ok -->
<meta property="not-real-only-for-testing" content="{{ safe }}" />
<!-- Google OAuth sign-in -->
<meta name="google-signin-scope" content="profile email openid">
<!-- ruleid: template-unescaped-with-safe -->
<meta name="google-signin-client_id" content="{{ client_id | safe }}">
<!-- ruleid: template-unescaped-with-safe -->
<div>{{ var | safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{var | safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{var| safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{var|safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{var|safe}}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{ var | safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{ var |safe }}</div>
<!-- ruleid: template-unescaped-with-safe -->
<div>{{ var|safe }}</div>
{% endblock %}
Short Link: https://sg.run/W8og