Chapter 9You can put images and other resources in the static folder, and reference them in
the same way.
A note on security
If you're new to web programming, then I strongly recommend you read up on two
common types of security flaw in web applications. Both are fairly easily avoided but
can have serious consequences if not addressed.
XSS
The first is Cross-Site Scripting (XSS). This is where an attacker injects malicious
script code into a site's HTML, causing a user's browser to carry out operations in
the security context of that site without the user's knowledge. A typical vector is user
submitted info being redisplayed to users without proper sanitization or escaping.
For example, one method is to trick users into visiting URLs containing carefully
crafted GET parameters. As we saw in Chapter 2, HTTP and Working with the Web,
these parameters can be used by web servers to generate pages, and sometimes
their content is included in the HTML of the response page itself. If the server is not
careful to replace special characters in the URL parameters with their HTML escape
codes when displayed, an attacker can put executable code, for example Javascript,
into URL parameters and actually have it executed when that URL is visited. If they
can trick a victim into visiting that URL, that code will be executed in the user's
browser, enabling the attacker to potentially perform any action the user could.
The basic XSS prevention is to ensure that any input received from outside the web
application is escaped properly when returned to the client. Flask is very helpful in
this regard since it activates Jinja2's auto-escaping feature by default, meaning that
anything we render via template is automatically protected. Not all frameworks
have this feature though, and some that do need it to be manually set. Also, this only
applies in situations where your user-generated content can't include markup. In
situations like a wiki that allows some markup in user-generated content, you need
to take much greater care—see the source code download for this chapter in the
5-search folder for an example of this. You should always make sure you check out
your framework's documentation.