# HTML Escaping

When returning HTML (the default response type in Flask), any user-provided values rendered in the output must be
escaped to protect from injection attacks. HTML templates rendered with Jinja, introduced later, will do this automat-
ically.
escape(), shown here, can be used manually. It is omitted in most examples for brevity, but you should always be
aware of how you’re using untrusted data.

In [4]:
from flask import Flask
from markupsafe import escape

Application = Flask(__name__)
@Application.route("/")

def hello(name):
    return f"Hello,{escape(name)}!"

**First, we import the escape function from markupsafe**

In [None]:
from markupsafe import escape
# The escape function is used to convert potentially dangerous characters in user input
# into safe HTML entities to prevent injection attacks

**Creating a function that safely handles user input**

In [None]:
def hello(name):
    return f"Hello,{escape(name)}!"

# def hello(name): - This defines a function that takes the 'name' parameter from the URL
# return f"Hello,{escape(name)}!" - This returns a formatted string that includes:
#   - "Hello," as literal text
#   - escape(name) which converts dangerous characters in 'name' to safe HTML entities
#   - "!" as literal text
# 
# The escape() function protects against XSS (Cross-Site Scripting) attacks by converting
# characters like <, >, &, and quotes into their HTML entity equivalents

**Example of why escaping is important:**

Without escaping, if someone visits `/&lt;script&gt;alert('XSS')&lt;/script&gt;`, the browser might execute the script.

With escaping, the same input becomes safe text: `&amp;lt;script&amp;gt;alert('XSS')&amp;lt;/script&amp;gt;`