5.6. XSS and Flask Templates

By default Flask will configure the Jinja template rendered to escape any data rendered. From the docs:

In Flask, Jinja is configured to autoescape any data that is rendered in HTML templates. This means that it’s safe to render user input; any characters they’ve entered that could mess with the HTML, such as < and > will be escaped with safe values that look the same in the browser but don’t cause unwanted effects.

https://flask.palletsprojects.com/en/stable/tutorial/templates/#templates