[Solved] You see this Flask template code:<p>Message: {{ message|safe }}</p>What is the main problem with this code if message contains user input? | Flask

Flask - Security Best Practices

You see this Flask template code:

<p>Message: {{ message|safe }}</p>

What is the main problem with this code if message contains user input?

AIt will cause a syntax error in the template.

BIt disables escaping, allowing XSS attacks if input is malicious.

CIt will remove all HTML tags from the message.

DIt automatically sanitizes the input, so no problem.

Step-by-Step Solution

Solution:

Step 1: Understand the effect of |safe filter
The |safe filter tells Flask not to escape the content, rendering raw HTML.
Step 2: Recognize security risk with user input
If message is user input, malicious scripts can run, causing XSS attacks.
Final Answer:
It disables escaping, allowing XSS attacks if input is malicious. -> Option B
Quick Check:
Using |safe on user input = security risk [OK]

Quick Trick: Avoid |safe on user input to prevent XSS [OK]

Common Mistakes:

MISTAKES

Master "Security Best Practices" in Flask

9 interactive learning modes - each teaches the same concept differently

More Flask Quizzes

You see this Flask template code: