Flask Templates XSS Vulnerabilities

[tonybaloney]

Investigate and add support for techniques for Cross-Site-Scripting in Flask Templates.

Because Flask uses Jinja2, its likely that the existing Jinja inspections will work

[backtrack-5]

Dear @tonybaloney, I just created a flask application with XSS vulnerability to test this plugin. Unfortunately when i tried to install the plugin Pycharm i am getting "Plugin 'Pycharm Security' is incompatible with this installation". Are there any specific version of Pycharm should i use ? I am using Pycharm Community 2018.2

Thank you,
Sornalingam

[tonybaloney]

You need either 2019.3 or 2020.1+, the plugin uses APIs in those versions

[backtrack-5]

@tonybaloney , Thanks for your clarification. I am trying to do the following things,

1. Create flask application with XSS vulnerability --> Done
2. Install Pycharm-security ->inprogress
3. Test your application with the plugin and see the suggestion

Can you please tell me whether the above items are fine or do we need to consider any other things ?

[backtrack-5]

@tonybaloney , Sorry for the delayed response.

I have imported the plugin and tried with SSTI and when i executed the inspection i did not get correct warning from the plugin

Input from browser

Test case:

1. Line no 9 in my code - it has XSS vulnerable.

Expected result

1. Plugin should find and give warn this use case

Actual result:

1. I did not get any warning for this scenario from plugin

Thanks,