GrepRules
Sign inPublish rule
Explore/cve-2025-66458-python-markup-unsafe-formatting

CVE-2025-66458: Python Markup Unsafe Formatting

Constructing a `Markup` object using Python's built-in string formatting (e.g., f-strings, `.format()`, `%`, or string concatenation) bypasses HTML escaping. `Markup` trusts the evaluated string entirely, leading to Cross-Site Scripting (XSS) if variable contents are user-controlled. Instead, pass the format string directly to `Markup` and then call `.format

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0Python
greprules fetch cve-2025-66458-python-markup-unsafe-formatting --engine opengrep

Description

Constructing a `Markup` object using Python's built-in string formatting (e.g., f-strings, `.format()`, `%`, or string concatenation) bypasses HTML escaping. `Markup` trusts the evaluated string entirely, leading to Cross-Site Scripting (XSS) if variable contents are user-controlled. Instead, pass the format string directly to `Markup` and then call `.format

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
128 downloads0 direct128 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs