# Vuln-Code 3 {Python}

## code

{% code lineNumbers="true" %}

```python
from flask import Flask, request
from jinja2 import Environment

app = Flask(__name__)

Jinja2 = Environment()

@app.route("/email/unsubscribe")
def page():
    email = request.values.get('email')
    output = Jinja2.from_string('<h1>Are you sure you want the mail: '+email+' to unsubscribe?</h1>'+'<button onclick="unsubsUser()">BYE!</button>'+'<a href="/">Reconsider</a>').render()
    return output

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=80)

```

{% endcode %}

[Source](https://twitter.com/intigriti/status/1736327880882241722) for the code , the original post on twitter.

## Vulnerability

The code seems to be vulnerable to the two vulnerabilities:

### Client side Vulnerability

Cross-Site-Scripting attack can be used on the application's front-end due to the \*email\* parameter that is being fetched at line 10 without and being used without any sanitization. Making it to embed malicious javascript.

### Server Side Vulnerability

The application allows imposes risk of RCE due to the same \*email\* parameter being vulnerable and used without sanitization , the vulnerability that leads to such scenario is Server-Side-Template-Injection. Even a small payload like: {{5\*5}} would result in evaluating that.

<figure><img src="/files/tjda6eP0GwmHSb5Q0m0o" alt=""><figcaption></figcaption></figure>

## Remedy

* Proper sanitization will help in doing so , but how:

Avoid directly injecting user input into your templates. Instead, use Flask's built-in mechanisms to handle user input safely:

we could use render\_template method to change:

```python
from flask import Flask, render_template, request, Markup

app = Flask(__name__)

@app.route("/email/unsubscribe")
def page():
    email = request.values.get('email')
    
    # Use Flask's render_template to render a template safely
    return render_template('unsubscribe.html', email=email)

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=80)

```

and the template may look like this:

```
<!DOCTYPE html>
<html>
<head>
    <title>Email Unsubscribe</title>
</head>
<body>
    <h1>Are you sure you want the mail: {{ email }} to unsubscribe?</h1>
    <button onclick="unsubsUser()">BYE!</button>
    <a href="/">Reconsider</a>
</body>
</html>

```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/code-review-series/vuln-code-3-python.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.