Allow markup-ing literal strings

Literal strings in the application should be safe (similar to static markup in template files), and then normal way to create dynamic markup code side: create a properly marked up `Markup`, then `Markup.format` user-defined content into it.
semgrep · Jun 14, 2024 · 1bb544a · 1bb544a
1 parent 311ca4e
commit 1bb544a
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml b/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml
@@ -17,7 +17,11 @@ rules:
       - python
     severity: WARNING
     pattern-either:
-      - pattern: flask.Markup(...)
+      - pattern: flask.Markup($Q)
       - pattern: flask.Markup.unescape(...)
-      - pattern: markupsafe.Markup(...)
+      - pattern: markupsafe.Markup($Q)
       - pattern: $MARKUPOBJ.unescape()
+      - metavariable-pattern:
+          metavariable: $Q
+          patterns:
+          - pattern-not: '"..."'