How to prevent an SSTI at code level in Flask:
The following image shows the Server Side Template Injection vulnerability via Burpsuite, we can see that the typical string {{7*7}} is converted into the number 49:
The original code programmed in Python is as Follows:
Python
To sanitize this code and avoid an SSTi attack, we can use regular expressions with re.sub function:
Python
Removing brackets (Curly bracket) ‘{}’ from the input:
Python
An even more secure way would be to eliminate any symbols and allow only alphanumeric characters as follows:
Python
Finally, the sanitized code is:
Python
If we try again, the vulnerability does not occur:
EN 
ES