Description
Hi Flask team,
We recently analyzed several Flask-based applications and noticed a recurring security concern related to url_for(..., _external=True) when used in untrusted request contexts. Specifically, since it uses request.host by default to construct the external URL, applications that do not explicitly configure SERVER_NAME or sanitize headers can be vulnerable to host header injection.
To improve developer awareness and reduce misuse, we suggest: Add a warning to the url_for documentation about the risk of relying on request.host, and recommend the use of SERVER_NAME or trusted_hosts when generating external URLs.
We’d be happy to help draft the relevant documentation or contribute a pull request if this direction aligns with the maintainers' goals.
Best regards,
Rui Yang and Zhengyu Liu
Johns Hopkins University