Rule Definition
Reflected XSS: The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. Once the malicious script is injected, the attacker can perform a variety of malicious activities, such as: get private information, send malicious requests to a web site on behalf of the victim. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim.

Remediation
Depending on the context: use the framework's sanitization methods, markupsafe module, or html.escape(), use the framework's recommended way of sending JSON and HTML (Jinja template with default escaping).

Violation Code Sample

from flask import Flask, make_response

app = Flask(__name__)

@app.route('/q/<query>')
def func(query):
    response = make_response("<h1>Results for: %s</h1> ..." % query)  # violation
    # ...
    return response

Fixed Code Sample

from flask import Flask, make_response, render_template
from html import escape

app = Flask(__name__)

@app.route('/q/<query>')
def func(query):
    response = make_response("<h1>Results for: %s</h1> ..." % escape(query))  # sanitization
    # or
    response = render_template('query_db.html',  template_param_query=query)  # sanitization
    # ...
    return response

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') https://cwe.mitre.org/data/definitions/79.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) CISQ rule: ASCSM-CWE-79. Cross Site Scripting Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html