format_html
detected PY-S0901Django's format_html()
function can be used to safely insert untrusted user data into HTML.
However, passing an already formatting string to format_html()
has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.
format_html(f"<b>{user_input}</b>") # `user_input` is not being sanitized!
format_html("<b>{}</b>", user_input) # This can safely be used.
format_html