Skip to content

Instantly share code, notes, and snippets.

@phith0n

phith0n/form.html Secret

Created February 5, 2016 16:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save phith0n/807869afbe1365015627 to your computer and use it in GitHub Desktop.
Save phith0n/807869afbe1365015627 to your computer and use it in GitHub Desktop.
Download ZIP
WTForm URL XSS
Raw
form.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>test</title>
</head>
<body>
<p>{% if form.url.errors %}
{{ form.url.errors|join(' ') }}
{% endif %}
</p>
<p>
your input url
<a href="{{ url }}" target="_blank">{{ url }}</a>
</p>
<form method="post">
<input type="text" name="url" style="width:300px;" />
<input type="submit" value="Submit"/>
</form>
</body>
</html>
Raw
wtform.py
#(๑¯ω¯๑) coding:utf8 (๑¯ω¯๑)
import os
import flask
from flask import Flask
from wtforms.form import Form
from wtforms.validators import DataRequired, URL
from wtforms import StringField
app = Flask(__name__)
class UrlForm(Form):
url = StringField("Link", validators=[DataRequired(), URL()])
@app.route('/', methods=['GET', 'POST'])
def show_data():
form = UrlForm(flask.request.form)
if flask.request.method == "POST" and form.validate():
url = form.url.data
else:
url = flask.request.url
return flask.render_template('form.html', url=url, form=form)
if __name__ == '__main__':
app.debug = True
app.run(os.getenv('IP', '0.0.0.0'), int(os.getenv('PORT', 8080)))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment