Set content type to `application/json` for `flask.make_response` with JSON data
pixee:python/flask-json-response-type​
Importance | Review Guidance | Requires Scanning Tool |
---|---|---|
Medium | Merge Without Review | No |
The default mimetype
for make_response
in Flask is 'text/html'
. This is true even when the response contains JSON data.
If the JSON contains (unsanitized) user-supplied input, a malicious user may supply HTML code which leaves the application vulnerable to cross-site scripting (XSS).
This fix explicitly sets the response type to application/json
when the response body is JSON data to avoid this vulnerability. Our changes look something like this:
from flask import make_response, Flask
import json
app = Flask(__name__)
@app.route("/test")
def foo(request):
json_response = json.dumps({ "user_input": request.GET.get("input") })
- return make_response(json_response)
+ return make_response(json_response, {'Content-Type':'application/json'})
If you have feedback on this codemod, please let us know!
F.A.Q.​
Why is this codemod marked as Merge Without Review?​
This change will only restrict the response type and will not alter the response data itself. Thus we deem it safe.
Codemod Settings​
N/A