From 0a864c1de0561e60a6d004c06cf7cbc75ea5d58e Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 26 Mar 2026 09:13:21 +0000
Subject: [PATCH] fix: resolve CodeQL alert #46 - Reflected server-side
 cross-site scripting

---
 vulnerable_xss.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/vulnerable_xss.py b/vulnerable_xss.py
index 59b8652..b867531 100644
--- a/vulnerable_xss.py
+++ b/vulnerable_xss.py
@@ -25,10 +25,10 @@ def post_comment():
 
 @app.route('/search')
 def search():
-    query = request.args.get('q', '')
+    from markupsafe import escape
+    query = escape(request.args.get('q', ''))
     
-    template = f"<h1>Search results for: {query}</h1>"
-    return render_template_string(template)
+    return f"<h1>Search results for: {query}</h1>"
 
 @app.route('/profile')
 def profile():