ó >›/ixãóÆ•SrSSKrSSKrSSKJr SSKJr SSKJr Sr \R"S5\R"S5\R"S 5S 555r g) aÕ ============================================ B704: Potential XSS on markupsafe.Markup use ============================================ ``markupsafe.Markup`` does not perform any escaping, so passing dynamic content, like f-strings, variables or interpolated strings will potentially lead to XSS vulnerabilities, especially if that data was submitted by users. Instead you should interpolate the resulting ``markupsafe.Markup`` object, which will perform escaping, or use ``markupsafe.escape``. **Config Options:** This plugin allows you to specify additional callable that should be treated like ``markupsafe.Markup``. By default we recognize ``flask.Markup`` as an alias, but there are other subclasses or similar classes in the wild that you may wish to treat the same. Additionally there is a whitelist for callable names, whose result may be safely passed into ``markupsafe.Markup``. This is useful for escape functions like e.g. ``bleach.clean`` which don't themselves return ``markupsafe.Markup``, so they need to be wrapped. Take care when using this setting, since incorrect use may introduce false negatives. These two options can be set in a shared configuration section `markupsafe_xss`. .. code-block:: yaml markupsafe_xss: # Recognize additional aliases extend_markup_names: - webhelpers.html.literal - my_package.Markup # Allow the output of these functions to pass into Markup allowed_calls: - bleach.clean - my_package.sanitize :Example: .. code-block:: none >> Issue: [B704:markupsafe_markup_xss] Potential XSS with ``markupsafe.Markup`` detected. Do not use ``Markup`` on untrusted data. Severity: Medium Confidence: High CWE: CWE-79 (https://cwe.mitre.org/data/definitions/79.html) Location: ./examples/markupsafe_markup_xss.py:5:0 4 content = "" 5 Markup(f"unsafe {content}") 6 flask.Markup("unsafe {}".format(content)) .. seealso:: - https://pypi.org/project/MarkupSafe/ - https://markupsafe.palletsprojects.com/en/stable/escaping/#markupsafe.Markup - https://cwe.mitre.org/data/definitions/79.html .. versionadded:: 1.8.3 éN)Úissue)Útest_properties)Ú get_call_namecó•US:Xa//S.$g)NÚmarkupsafe_xss)Úextend_markup_namesÚ allowed_calls©)Únames Ú^/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/markupsafe_markup_xss.pyÚ gen_configr Os €Ø ÐÓà#%Øñ ð ð órÚCallÚB704c ó<•URnUS;aX!RS/5;agURRnU(a"[ US[ R 5(agURS/5nU(a@[ US[ R5(a[USUR5U;ag[R"[R[R[RR SUSUR"S3S9$) N)zmarkupsafe.Markupz flask.Markuprrr zPotential XSS with ``z`` detected. Do not use ``z`` on untrusted data.)ÚseverityÚ confidenceÚcweÚtext)Úcall_function_name_qualÚgetÚnodeÚargsÚ isinstanceÚastÚConstantrrÚimport_aliasesÚbanditÚIssueÚMEDIUMÚHIGHrÚCweÚXSSÚcall_function_name)ÚcontextÚconfigÚqualnamerr s r Úmarkupsafe_markup_xssr(Wsç€ð ×.Ñ.€HØÐ<Ó<Ø Ÿ:™:Ð&;¸RÓ@Ó @àà <‰<× Ñ €DÞ ”:˜d 1™g¤s§|¡|×4Ñ4àà—J‘J˜°Ó3€MæÜ t˜A‘w¤§¡× )Ñ )Ü ˜$˜q™' 7×#9Ñ#9Ó :¸mÓ Kðä <Š<Ü—‘Ü—;‘;Ü I‰IM‰MØ$ X Jð/Ø×/Ñ/Ð0Ð0EðGñ  ðr)Ú__doc__rrÚ bandit.corerrÚtestÚbandit.core.utilsrr Ú takes_configÚchecksÚtest_idr(r rr Úr0sdðñBóF ã ÝÝ/Ý+ò ð×ÒÐ#Ó$؇‚ˆVÓ؇‚ˆfÓñóóó%ñr