mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
13 lines
344 B
Python
13 lines
344 B
Python
|
"""XSS — negative fixture.
|
||
|
|
|
||
|
|
Safe function: uses html.escape() before rendering.
|
||
|
|
Expected verdict: NotConfirmed (script tag escaped to <script>).
|
||
|
|
"""
|
||
|
|
import html
|
||
|
|
|
||
|
|
|
||
|
|
def render_comment(user_input):
|
||
|
|
"""Safe: HTML-escapes user input before rendering."""
|
||
|
|
safe = html.escape(user_input)
|
||
|
|
print(f"<div class='comment'>{safe}</div>")
|