From 1bb544ac28d5135039f68de608b508be77262f9f Mon Sep 17 00:00:00 2001
From: xmo-odoo <xmo@odoo.com>
Date: Fri, 14 Jun 2024 12:15:23 +0200
Subject: [PATCH] Allow markup-ing literal strings

Literal strings in the application should be safe (similar to static markup in template files), and then normal way to create dynamic markup code side: create a properly marked up `Markup`, then `Markup.format` user-defined content into it.
---
 .../security/xss/audit/explicit-unescape-with-markup.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml b/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml
index d602fc8d49..ddd207ce1a 100644
--- a/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml
+++ b/python/flask/security/xss/audit/explicit-unescape-with-markup.yaml
@@ -17,7 +17,11 @@ rules:
       - python
     severity: WARNING
     pattern-either:
-      - pattern: flask.Markup(...)
+      - pattern: flask.Markup($Q)
       - pattern: flask.Markup.unescape(...)
-      - pattern: markupsafe.Markup(...)
+      - pattern: markupsafe.Markup($Q)
       - pattern: $MARKUPOBJ.unescape()
+      - metavariable-pattern:
+          metavariable: $Q
+          patterns:
+          - pattern-not: '"..."'