Note, an alternative to completely hand coding forms is to hand code
everything but the opening, closing, and widgets, and use form.custom as
described here: http://web2py.com/book/default/chapter/07#Custom-forms. In
that case, form.custom.end will include the two hidden fields (as well as
the
that is *so* cool. thanks Anthony.
I've modify my controller code to create a form and call accepts():
form = FORM(TEXTAREA(_name='message'), INPUT(_name='email'))
if form.accepts(request.vars, session): etc
and return the form so it's passed to my view
My view is still hand-coded HTML but now I'
On Friday, July 15, 2011 10:53:55 AM UTC-4, Carl wrote:
>
> that's excellent news (and thanks for those links).
>
> if I'm defining the HTML of a form in a file in my views/ directory
> how do I leverage this gatekeeper?
>
If you're building forms manually in HTML, you'll still have to call
form
Anytime that you use {{=var}} in a view, the "var" or whatever it is you are
injecting into the HTML is automatically escaped to prevent injection
attacks. If you wanted to pass in some pre-formatted HTML, you would have to
specifically wrap it in an XML() object for it to display properly,
byp
To clarify...
crud.create and crud.update have XSRF protection.
SQLFORM with accepts(request,session) has it too.
SQLFORM with accepts(request) and no session passed has no XSRF. This
is intentional to allow passing forms, for example, from other apps.
On Jul 15, 9:53 am, Carl Roach wrote:
> t
and relately... I'm using Web2py JSON api.
is my site protected "out of the box" or do I need to pass parameters
in a particular manner?
On 15 July 2011 15:53, Carl Roach wrote:
> that's excellent news (and thanks for those links).
>
> if I'm defining the HTML of a form in a file in my views/ di
that's excellent news (and thanks for those links).
if I'm defining the HTML of a form in a file in my views/ directory
how do I leverage this gatekeeper?
On 15 July 2011 15:49, Anthony wrote:
> web2py already uses the second method mentioned, as long as you call
> form.accepts(request, sessio
See http://web2py.com/book/default/chapter/01?search=CSRF and
http://web2py.com/book/default/chapter/07#Hidden-fields.
On Friday, July 15, 2011 10:49:08 AM UTC-4, Anthony wrote:
> web2py already uses the second method mentioned, as long as you call
> form.accepts(request,
> session) in your fo
web2py already uses the second method mentioned, as long as you call
form.accepts(request,
session) in your form action (you have to pass session to form.accepts
because it stores the formkey in the session). Note, this also protects
against double form submission (the formkey is only good for
9 matches
Mail list logo
