Flask-Jinjia2模板字符串过滤器

禁止转义过滤器-safe

xss_test.py文件

from flask import Flask,render_template,request

app = Flask(__name__)

@app.route("/xss",methods=["GET","POST"])
def xss():
    text = ""
    if request.method == "POST":
        text = request.form.get("text")
    return render_template("xss.html",text = text)


if __name__ == '__main__':
    app.run(debug=True)

xss.html文件路径

xss.html文件

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form method="post">
        <textarea name="text"></textarea>
        <input type="submit" value="提交">
    </form>
    {{ text | safe}}

</body>
</html>

运行flask程序后，在输入框输入<script>alert("hello attack");</script>

image.png

如果xss.html代码里没有safe禁止转义的过滤器，会被转义

image.png