ZuhairORZaki commented on PR #36469: URL: https://github.com/apache/airflow/pull/36469#issuecomment-1871294907
> Have no idea how to reproduce it. > > In breeze this one link > > ``` > http://127.0.0.1:28080/confirm?task_id=runme_0&dag_id=%3Cimg%20src%3D%27x%27%20onerror%3D%27alert%281%29%27%3E&state=success > ``` > > redirect to the home page and just show as a text which are expected, because Flask by default use autoescape in Jinja templates > >  Thank you for your feedback. Yes jinja2 by default escapes values passed to a template. I was saying if there exists a client-side page that updates DOM elements with the value sent back in the JSON response using methods like `document.write`, `element.innerHTML`, `eval` etc. then any javascript code passed will execute. So If always jinja is used to render templates and in no way situation described above can occur, then there is no attack surface. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
