LabEx
Log InJoin For Free

Secure HTML Rendering with Flask

PythonPythonBeginner
Practice Now

Introduction

When returning HTML (the default response type in Flask), any user-provided values rendered in the output must be escaped to protect from injection attacks. In this lab, you will learn how to use escape for achieving this. Also HTML templates rendered with Jinja, introduced later, will do this automatically. For now, you can just use escape to do this manually.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL python(("`Python`")) -.-> python/BasicConceptsGroup(["`Basic Concepts`"]) python(("`Python`")) -.-> python/ModulesandPackagesGroup(["`Modules and Packages`"]) python(("`Python`")) -.-> python/AdvancedTopicsGroup(["`Advanced Topics`"]) python/BasicConceptsGroup -.-> python/strings("`Strings`") python/ModulesandPackagesGroup -.-> python/using_packages("`Using Packages`") python/AdvancedTopicsGroup -.-> python/decorators("`Decorators`") subgraph Lab Skills python/strings -.-> lab-148875{{"`Secure HTML Rendering with Flask`"}} python/using_packages -.-> lab-148875{{"`Secure HTML Rendering with Flask`"}} python/decorators -.-> lab-148875{{"`Secure HTML Rendering with Flask`"}} end

Escape

In this step, you will learn how to use escape for achieving protection from injections attacks.

  1. Open the html_escaping.py file and first import the Flask class and escape.
from flask import Flask
from markupsafe import escape
  1. Next create an instance of the Flask class.
app = Flask(__name__)
  1. Then we use the route() decorator to create a route / with a view function called escaping. In the function define a JavaScript code snippet and use escape to render it as text, escape any characters that have special meanings in HTML.
@app.route('/')
def escaping():
    input = "<script>alert('XSS attack');</script>"
    escaped_input = escape(input)
    return f"User input: {escaped_input}"
  1. Creating a main entry point of the script for starting the Flask application at port 5000, enabling the debug mode.
if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000, debug=True)
  1. To run the application, first using the following commands to launched the Flask application in the terminal:
python3 html_escaping.py

Then open the "Web 5000" tab located at the top of the interface, refresh the page, and you should see the message:
XSS attack prevention example

  • The <script> tags are safely displayed as text without being executed as JavaScript, demonstrating the prevention of an XSS attack.

Summary

In this lab, we have learn how to use escape for manually escaping the input. This can be very useful when deal with potentially harmful attacks. Later we will learn how to render templates with Jinja, which can do this automatically and efficiently.

Other Python Tutorials you may like

Related Python Courses
Quick Start with Python

Quick Start with Python

LinuxPython
Beginner
Python Practice Challenges

Python Practice Challenges

Python
Beginner
Snake Game Using Python and Pygame

Snake Game Using Python and Pygame

PythonPygame
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy