from flask import Flask, Response

app = Flask(__name__)

HTML_DATA = '<script>alert("Javascript executed");</script>'


# Default test case
@app.route('/test')
def test():
	return Response(HTML_DATA)


# Bypass 1 - HTTP Status Code 3xx
@app.route('/bypass-1')
def bypass_status_code():
	resp = Response(HTML_DATA)
	resp.status_code = 399	
	
	return resp


# Bypass 2 - `Content-Disposition: inline` Header
@app.route('/bypass-2')
def bypass_content_disposition():
	resp = Response(HTML_DATA)
	resp.headers['Content-Disposition'] = 'inline'
	
	return resp


# Bypass 3 - Omitted / Altered `Content-Type` Header
@app.route('/bypass-3')
def bypass_content_type():
	resp = Response(HTML_DATA)
	del resp.headers['Content-Type']
	
	return resp


if __name__ == '__main__':
	app.run(port=8080, host='localhost')