Do not use template created with strings

Docs > Code Analysis > Static Analysis Rules > Do not use template created with strings

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: python-flask/no-render-template-string

Language: Python

Severity: Error

Category: Security

Description

Using templates created with string leads to server-side injection. Use template based on files.

Learn More

CWE-96: Improper Neutralization of Directives in Statically Saved

Non-Compliant Code Examples

import os
from functools import wraps
from flask import request, redirect, url_for, render_template_string


API_KEY = os.environ.get('VULN_FLASK_APP_API_KEY')

# Decorator to check if user is logged in
def require_api_key(f):
    @wraps(f)
    def wrap(*args, **kwargs):
        api_key = request.cookies.get('api_key')
        if API_KEY is None or api_key == API_KEY:
            return f(*args, **kwargs)
        else:
            return render_template_string('no api key found'), 401
    return wrap