Cross-site scripting (XSS) via safe filter disabling autoescape in Flask template

High Risk cross-site-scripting
pythonflaskjinja2safe-filterxssweb

What it is

XSS vulnerability in Flask/Jinja2 templates where the safe filter is used to disable autoescaping, rendering raw HTML content directly into pages. When user-controlled data is marked as safe, malicious scripts can execute in user browsers, leading to session theft and data compromise.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

The safe filter is applied to template variables containing user-controlled data, bypassing auto-escaping.

Root causes

Safe Filter on User Data

The safe filter is applied to template variables containing user-controlled data, bypassing auto-escaping.

Disabling Auto-Escaping

The safe filter explicitly disables Jinja2's auto-escaping, allowing raw HTML to be rendered.

Fixes

1

Remove Safe Filter for Auto-Escaping

Remove the safe filter from dynamic values to let Jinja2 automatically escape HTML content.

2

Sanitize HTML Before Marking Safe

If HTML content is required, sanitize it with a whitelist sanitizer like Bleach before marking as safe.

3

Use Markup Class for Trusted Content Only

Use Flask's Markup class only for truly trusted, static HTML content, never for user input.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) via safe filter disabling autoescape in flask template and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities