Python: Show that reflected XSS works now

RasmusWL · RasmusWL · commit eb545204ec2e · 2020-10-23T14:31:35.000+02:00
Also did autoformatting, but the important part is the change to the .expected file
diff --git a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/ReflectedXss.expected
@@ -1,3 +1,7 @@
 edges
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr |
 nodes
+| reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 #select
+| reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | reflected_xss.py:9:26:9:53 | ControlFlowNode for BinaryExpr | Cross-site scripting vulnerability due to $@. | reflected_xss.py:8:18:8:29 | ControlFlowNode for Attribute | a user-provided value |
diff --git a/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py b/python/ql/test/experimental/query-tests/Security-new-dataflow/CWE-079/reflected_xss.py
@@ -2,12 +2,14 @@
 
 app = Flask(__name__)
 
-@app.route('/unsafe')
+
+@app.route("/unsafe")
 def unsafe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + first_name)
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + first_name)  # NOT OK
+
 
-@app.route('/safe')
+@app.route("/safe")
 def safe():
-    first_name = request.args.get('name', '')
-    return make_response("Your name is " + escape(first_name))
+    first_name = request.args.get("name", "")
+    return make_response("Your name is " + escape(first_name))  # OK
