Jinja check: Missing href

The href attribute in anchor tags accepts the javascript: URI and is therefore susceptible to cross-site scripting (XSS) if a Jinja template variable is used to insert the link. This check will alert when a template variable is used in the href attribute of an anchor tag.

Description

Flask security recommendations warn about using Jinja variables to insert values into the href attribute of an anchor tag. The javascript: URI is valid in href attributes, which means the following XSS could happen:

<a href="{{ value }}">click here</a>
<a href="javascript:alert('unsafe');">click here</a>

Use url_for(), a method in provided by Flask that is also available in Jinja templates, to generate links.

You should also consider setting the Content Security Policy (CSP) header, which you can use to block inline JavaScript (such as the javascript: URI) from running. Set the default-src or script-src to self. We recommend using Google's Flask Talisman for securing your Flask application.

For more information on the Content Security Policy, refer to the references.

This check will detect the following case.

<html>
  <body>
    <a href="{{ value }}">Test</a>
  </body>
</html>

The check will consider the following case acceptable.

<html>
  <body>
    <a href="{{ url_for('foo') }}">Test</a>
  </body>
</html>

References