Avoid HTML built in strings

Docs > Code Analysis > Static Analysis Rules > Avoid HTML built in strings

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: python-security/html-string-from-parameters

Language: Python

Severity: Error

Category: Security

CWE: 79

Description

Detect unsafe HTML content. User-input may be injected into HTML content without being sanitized.

User input should always be checked before being used in HTML data.

Learn More

CWE-79: Improper Neutralization of Input During Web Page Generation

Non-Compliant Code Examples

def my_function(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
    html1 = f"<div>{arg1}</div>"
    html1 = "<div>{0}</div>".format(arg1)
    html2 = f"<div>{arg2['bli']}</div>"
    html2 = "<div>{0}</div>".format(arg2['bli'])
    html3 = "<div>" + arg1 + "</div>"
    render(f"<div>{arg1}</div>")
    return html


def my_function2(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
    html1 = f"<div>{arg51}</div>"
    html1 = "<div>{0}</div>".format(arg42)
    html2 = f"<div>{arg26['bli']}</div>"
    html2 = "<div>{0}</div>".format(arg51['bli'])
    html3 = "<div>" + arg41 + "</div>"
    render(f"<div>{arg51}</div>")
    return html


def my_function3(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
    html1 = f"<div>{arg1}</div>"
    html1 = "<div>{0}</div>".format(arg1)
    html2 = f"<div>{arg2['bli']}</div>"
    html2 = "<div>{0}</div>".format(arg2['bli'])
    html3 = "<div>" + arg1 + "</div>"
    render(f"<div>{arg1}</div>")
    return html

Compliant Code Examples

def my_function(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
    html1 = f"<div>{sanitize_value(arg1)}</div>"
    html1 = "<div>{0}</div>".format(sanitize_value(arg1))
    html2 = f"<div>{sanitize_value(arg2['bli'])}</div>"
    html2 = "<div>{0}</div>".format(sanitize_value(arg2['bli']))
    html3 = "<div>" + sanitize_value(arg1) + "</div>"
    render(f"<div>{sanitize_value(arg1)}</div>")
    return html