Avoid HTML built in strings
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: python-security/html-string-from-parameters
Language: Python
Severity: Error
Category: Security
CWE: 79
Description
Detect unsafe HTML content. User-input may be injected into HTML content without being sanitized.
User input should always be checked before being used in HTML data.
Learn More
Non-Compliant Code Examples
def my_function(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
html1 = f"<div>{arg1}</div>"
html1 = "<div>{0}</div>".format(arg1)
html2 = f"<div>{arg2['bli']}</div>"
html2 = "<div>{0}</div>".format(arg2['bli'])
html3 = "<div>" + arg1 + "</div>"
render(f"<div>{arg1}</div>")
return html
def my_function2(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
html1 = f"<div>{arg51}</div>"
html1 = "<div>{0}</div>".format(arg42)
html2 = f"<div>{arg26['bli']}</div>"
html2 = "<div>{0}</div>".format(arg51['bli'])
html3 = "<div>" + arg41 + "</div>"
render(f"<div>{arg51}</div>")
return html
def my_function3(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
html1 = f"<div>{arg1}</div>"
html1 = "<div>{0}</div>".format(arg1)
html2 = f"<div>{arg2['bli']}</div>"
html2 = "<div>{0}</div>".format(arg2['bli'])
html3 = "<div>" + arg1 + "</div>"
render(f"<div>{arg1}</div>")
return html
Compliant Code Examples
def my_function(arg1: str, arg2, arg3 = "blabla", arg4: str = "blibli"):
html1 = f"<div>{sanitize_value(arg1)}</div>"
html1 = "<div>{0}</div>".format(sanitize_value(arg1))
html2 = f"<div>{sanitize_value(arg2['bli'])}</div>"
html2 = "<div>{0}</div>".format(sanitize_value(arg2['bli']))
html3 = "<div>" + sanitize_value(arg1) + "</div>"
render(f"<div>{sanitize_value(arg1)}</div>")
return html
Seamless integrations. Try Datadog Code Analysis