Merge pull request #14084 from RasmusWL/flask-jsonify

Python: Remove XSS FP from use of `flask.jsonify`
2026-05-01 19:55:15 +02:00 · 2023-08-30 13:07:54 +02:00
parent 6a21fa04cd 49d510018d
commit 62c2316124
4 changed files with 28 additions and 3 deletions
--- a/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
+++ b/python/ql/test/query-tests/Security/CWE-079-ReflectedXss/reflected_xss.py
@@ -1,5 +1,5 @@
 import json
-from flask import Flask, request, make_response, escape
+from flask import Flask, request, make_response, escape, jsonify

 app = Flask(__name__)

@@ -26,3 +26,9 @@ def unsafe_json():
 def safe_json():
    data = json.loads(request.data)
    return make_response(json.dumps(data), 200, {'Content-Type': 'application/json'})  # OK, FP
+
+
+@app.route("/jsonify")
+def jsonify():
+    data = request.data
+    return jsonify(data)  # OK, FP