B704: markupsafe_markup_xss

B704: Potential XSS on markupsafe.Markup use

markupsafe.Markup does not perform any escaping, so passing dynamic content, like f-strings, variables or interpolated strings will potentially lead to XSS vulnerabilities, especially if that data was submitted by users.

Instead you should interpolate the resulting markupsafe.Markup object, which will perform escaping, or use markupsafe.escape.

Config Options:

This plugin allows you to specify additional callable that should be treated like markupsafe.Markup. By default we recognize flask.Markup as an alias, but there are other subclasses or similar classes in the wild that you may wish to treat the same.

Additionally there is a whitelist for callable names, whose result may be safely passed into markupsafe.Markup. This is useful for escape functions like e.g. bleach.clean which don’t themselves return markupsafe.Markup, so they need to be wrapped. Take care when using this setting, since incorrect use may introduce false negatives.

These two options can be set in a shared configuration section markupsafe_xss.

markupsafe_xss:
    # Recognize additional aliases
    extend_markup_names:
        - webhelpers.html.literal
        - my_package.Markup

    # Allow the output of these functions to pass into Markup
    allowed_calls:
        - bleach.clean
        - my_package.sanitize

Example:

>> Issue: [B704:markupsafe_markup_xss] Potential XSS with
   ``markupsafe.Markup`` detected. Do not use ``Markup``
   on untrusted data.
   Severity: Medium   Confidence: High
   CWE: CWE-79 (https://cwe.mitre.org/data/definitions/79.html)
   Location: ./examples/markupsafe_markup_xss.py:5:0
4       content = "<script>alert('Hello, world!')</script>"
5       Markup(f"unsafe {content}")
6       flask.Markup("unsafe {}".format(content))