Consider a Flask template that displays a user-provided string using the standard Jinja2 syntax: {{ user_input }}. The user inputs the string <script>alert('XSS')</script>. What will the rendered HTML output be?
{{ user_input }}Think about how Jinja2 handles HTML special characters by default.
Jinja2 automatically escapes HTML special characters like < and > when rendering variables with {{ }}. So the user input is shown as escaped HTML entities, preventing the script from running.
In a Flask Jinja2 template, you want to display raw HTML from a variable html_content without escaping. Which syntax correctly disables autoescaping?
Look for the Jinja2 filter that marks content as safe.
The safe filter tells Jinja2 not to escape the content, rendering it as raw HTML. Other options are invalid syntax or filters.
Given the Flask template snippet:
{{ user_input|safe }}The user_input contains <script>alert('XSS')</script>. Why does this cause an XSS vulnerability?
Consider what the safe filter does to the output.
The safe filter disables Jinja2's automatic escaping, so any HTML or script tags in the variable are rendered directly. This allows malicious scripts to run if user input is not sanitized.
Which statement best describes how Flask's Jinja2 template autoescaping helps prevent XSS attacks?
Think about what happens to characters like < and > in output.
Autoescaping replaces characters like < and > with HTML entities like < and >, so browsers display them as text, not as HTML tags, preventing script execution.
Given the Flask template:
User comment: {{ comment }}
Admin note: {{ admin_note|safe }}And the variables:
comment = "<b>Hello</b>"admin_note = "<i>Important</i>"
What is the exact rendered HTML output?
Remember which variables are escaped and which are marked safe.
The comment variable is autoescaped, so HTML tags appear as entities. The admin_note is marked safe, so its HTML tags render normally.