forked from microsoft/generative-ai-for-beginners
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaoai-solution.py
More file actions
59 lines (49 loc) · 2.38 KB
/
aoai-solution.py
File metadata and controls
59 lines (49 loc) · 2.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# here are some suggestions to improve the code:
# - Add input validation to prevent malicious input from being processed by the server. You can use a library like flask-wtf to validate user input and sanitize it before processing.
# - Use environment variables to store sensitive information such as database credentials, API keys, and other secrets. This will prevent the information from being hard-coded in the code and exposed in case of a security breach.
# - Implement error handling to provide meaningful error messages to the user in case of errors. You can use the @app.errorhandler() decorator to handle exceptions and return an error response.
import os
from flask import Flask, render_template_string
from flask_wtf import FlaskForm
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired, Length, Email
from markupsafe import escape
app = Flask(__name__)
# SECURITY: Load secret key from environment variable instead of hardcoding
app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY', os.urandom(32))
class HelloForm(FlaskForm):
name = StringField('Name', validators=[DataRequired(), Length(min=3)])
email = StringField('Email', validators=[DataRequired(), Email()])
submit = SubmitField('Submit')
# Form template with proper CSRF protection and escaping
FORM_TEMPLATE = '''
<!DOCTYPE html>
<html>
<head><title>Hello Form</title></head>
<body>
<form method="POST">
{{ form.hidden_tag() }}
<p>{{ form.name.label }} {{ form.name(size=32) }}
{% for error in form.name.errors %}<span style="color: red;">[{{ error }}]</span>{% endfor %}</p>
<p>{{ form.email.label }} {{ form.email(size=32) }}
{% for error in form.email.errors %}<span style="color: red;">[{{ error }}]</span>{% endfor %}</p>
<p>{{ form.submit() }}</p>
</form>
</body>
</html>
'''
@app.route('/', methods=['GET', 'POST'])
def hello():
form = HelloForm()
if form.validate_on_submit():
# SECURITY: Use escape() to prevent XSS attacks
safe_name = escape(form.name.data)
safe_email = escape(form.email.data)
return f'Hello, {safe_name} ({safe_email})!'
# SECURITY: Use Flask's render_template_string for proper escaping
return render_template_string(FORM_TEMPLATE, form=form)
@app.errorhandler(400)
def bad_request(error):
return 'Bad request', 400
if __name__ == '__main__':
app.run()