45. Cross-Site Scripting (XSS Intro)

XSS allows attackers to inject malicious scripts into web pages viewed by other users.

Insecure Example

# 45. Flask example (unsafe rendering)
from flask import Flask, request
app = Flask(__name__)

@app.route("/greet")
def greet():
    name = request.args.get("name", "Guest")
    return f"<h1>Hello {name}</h1>"  # Unsafe - allows HTML/JS injection

Secure Example

from flask import Flask, request, escape
app = Flask(__name__)

@app.route("/greet")
def greet():
    name = escape(request.args.get("name", "Guest"))
    return f"<h1>Hello {name}</h1>"

✅ Lesson: Always escape user-generated content before rendering it to a web page.