Are you sure you want the mail: '+email+' to unsubscribe?
'+''+'Reconsider').render()
return output
if __name__ == "__main__":
app.run(host='0.0.0.0',port=80)
```
{% endcode %}
[Source](https://twitter.com/intigriti/status/1736327880882241722) for the code , the original post on twitter.
## Vulnerability
The code seems to be vulnerable to the two vulnerabilities:
### Client side Vulnerability
Cross-Site-Scripting attack can be used on the application's front-end due to the \*email\* parameter that is being fetched at line 10 without and being used without any sanitization. Making it to embed malicious javascript.
### Server Side Vulnerability
The application allows imposes risk of RCE due to the same \*email\* parameter being vulnerable and used without sanitization , the vulnerability that leads to such scenario is Server-Side-Template-Injection. Even a small payload like: {{5\*5}} would result in evaluating that.
## Remedy
* Proper sanitization will help in doing so , but how:
Avoid directly injecting user input into your templates. Instead, use Flask's built-in mechanisms to handle user input safely:
we could use render\_template method to change:
```python
from flask import Flask, render_template, request, Markup
app = Flask(__name__)
@app.route("/email/unsubscribe")
def page():
email = request.values.get('email')
# Use Flask's render_template to render a template safely
return render_template('unsubscribe.html', email=email)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
```
and the template may look like this:
```
Email Unsubscribe
Are you sure you want the mail: {{ email }} to unsubscribe?
