New blog post:
Thank for this post! Wasn’t aware of this vulnerability, I do this in a couple of projects.
I’m sure there are many and apologies for my ignorance, but could you point out a couple of ways in which an attacker might be able to modify the contents of the mydata variable? If someone’s modifying your variables, aren’t you in deep deep trouble? (i.e. someone’s in your app server or something like that?)
get_mydata is a stand-in example - it could be using the ORM. Added a clarifying sentence to the post:
mydatais controllable by third parties in any way, for example a user’s comment, or an API’s return data, attackers might try and use it for HTML injection.