Avoid Flask markup helpers fed by request data | Critiq Docs

#Metadata

Rule ID: py.security.flask-unsafe-html-output
Severity: high
Confidence: 0.86
Languages: python
Presets: security, strict
Stability: stable
Applies to: block
Tags: flask, python, rules-catalog, security, xss

#Why it matters

Markup helpers, render_template_string, and Jinja safe filters bypass escaping and commonly become XSS sinks.

#Remediation

Use automatic escaping, `render_template` with trusted contexts, or a vetted sanitizer instead of raw markup shortcuts.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.flask-unsafe-html-output.rule.yaml.

Back to directory Open rule in repository