What if data['time'] is '<script>alert("oops!")</script>'?
While JavaScript's template literals [1] would allow this kind of API to work (because the prefix of the template string can be a function that escapes the parameters), Python's f-strings doesn't have equivalent functionality. The tuple returned from the render function should probably include an additional item containing the parameters for the format string (which shouldn't be an f-string).
This API looks like a recipe for XSS vulnerabilities:
What if data['time'] is '<script>alert("oops!")</script>'?While JavaScript's template literals [1] would allow this kind of API to work (because the prefix of the template string can be a function that escapes the parameters), Python's f-strings doesn't have equivalent functionality. The tuple returned from the render function should probably include an additional item containing the parameters for the format string (which shouldn't be an f-string).
See also [2].
[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...
[2] https://en.wikipedia.org/wiki/Uncontrolled_format_string