From e2635d5c61c4e1edb075d3cc75cd63eb6cf4070f Mon Sep 17 00:00:00 2001
From: jonasc <jonasc@users.noreply.github.com>
Date: Wed, 20 Apr 2022 22:56:07 +0200
Subject: [PATCH] Move comment to actual vulnerability position

The comment wrongly indicated the XSS vulnerability while rendering the "error.html" template, but it occurs when rendering the "search.html" template.
---
 flask_webgoat/ui.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flask_webgoat/ui.py b/flask_webgoat/ui.py
index f7f107d9..2b0bd060 100644
--- a/flask_webgoat/ui.py
+++ b/flask_webgoat/ui.py
@@ -11,12 +11,12 @@ def search():
     query_param = request.args.get("query")
     if query_param is None:
         message = "please provide the query parameter"
-        # vulnerability: XSS
         return render_template("error.html", message=message)
 
     try:
         query = "SELECT username, access_level FROM user WHERE username LIKE ?;"
         results = query_db(query, (query_param,))
+        # vulnerability: XSS
         return render_template(
             "search.html", results=results, num_results=len(results), query=query_param
         )