nyx/tests/fixtures/header_injection/python/unsafe_set_header.py

# Unsafe: Flask response.headers.add receives a value built from request
# args.  HEADER_INJECTION fires on the value argument.
from flask import request, make_response


def handler():
    lang = request.args.get("lang")
    resp = make_response("ok")
    resp.headers.add("X-Lang", lang)
    return resp
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`# Unsafe: Flask response.headers.add receives a value built from request`
			`# args. HEADER_INJECTION fires on the value argument.`
			`from flask import request, make_response`


			`def handler():`
			`lang = request.args.get("lang")`
			`resp = make_response("ok")`
			`resp.headers.add("X-Lang", lang)`
			`return resp`