Re: [web2py-dev] [web2py] Re: strange response.flash

2012-08-06 Thread Massimo DiPierro
Sorry. I misread your email. Massimo On Aug 4, 2012, at 10:53 AM, Anthony wrote: > I see. I think the problem is only with response.flash within Ajax > components. The message is escaped on the server via urllib2.quote, and then > decoded in the browser via decodeURIComponent (see source code)

Re: [web2py-dev] [web2py] Re: strange response.flash

2012-08-06 Thread Massimo Di Pierro
I think Anthony is right. His suggested fix is now in trunk. Give it a try. On Sunday, 5 August 2012 23:21:53 UTC-5, Anthony wrote: > > With xmlescape, HTML helpers should still work fine -- xmlescape does not > escape helpers, only the components within the helpers (I think it > basically repli

Re: [web2py-dev] [web2py] Re: strange response.flash

2012-08-05 Thread Anthony
With xmlescape, HTML helpers should still work fine -- xmlescape does not escape helpers, only the components within the helpers (I think it basically replicates the escaping behavior of web2py views): >>> xmlescape(A("Hello World", _href="#")) 'Hello World' However, with xmlescape, raw HTML wi

Re: [web2py-dev] [web2py] Re: strange response.flash

2012-08-05 Thread Massimo DiPierro
I think response.flash = A("Hello World", _href="#") should be allowed. It was always allowed. This is a backward compatibility issue. Yet I see there is a potential security issue there. I am not sure what the exact solution should be. Perhaps automatic sanitization of flash messages befo

Re: [web2py] Re: strange response.flash

2012-08-05 Thread Niphlod
Would serialized HTML messages be escaped then ? What if someone uses response.flash = A("Hello World", _href="#") ? On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote: > > Bump. Should we replace str() with xmlescape() so Ajax flash messages get > escaped, just like regular flash message

Re: [web2py] Re: strange response.flash

2012-08-05 Thread Anthony
Bump. Should we replace str() with xmlescape() so Ajax flash messages get escaped, just like regular flash messages and everything else in the view? Anthony On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote: > > On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote: >> >> I

Re: [web2py] Re: strange response.flash

2012-08-04 Thread Anthony
On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote: > > I do not understand what the problem with decodeURIComponent()? > When I tried trunk, I think there was a problem with the encoding of my controller file (ANSI instead of UTF-8) -- in that case, I guess urllib2.quote didn't yi

Re: [web2py] Re: strange response.flash

2012-08-04 Thread Martin Weissenboeck
I have tried xmlescape(response.flash).replace('\n','') Yes, this solves the problems. Would be nice to have it in trunk. Thank you! 2012/8/4 Anthony > I see. I think the problem is only with response.flash within Ajax > components. The message is escaped on the server via urllib2.quote, and >

Re: [web2py] Re: strange response.flash

2012-08-04 Thread Anthony
I see. I think the problem is only with response.flash within Ajax components. The message is escaped on the server via urllib2.quote, and then decoded in the browser via decodeURIComponent (see source code

Re: [web2py] Re: strange response.flash

2012-08-04 Thread Martin Weissenboeck
Hi Anthony, thank you! (1) Restricted character for args - that is ok! (2) ajax=True: def flash6(): return dict(load=LOAD('default', 'flash6a.load', ajax=True)) def flash6a(): response.flash='hello there* äöü*' return dict() Same result, nothing to see. But def flash6(): retu

[web2py] Re: strange response.flash

2012-08-03 Thread Anthony
This issue is not with response.flash but with request.args. The characters allowed in args are fairly restrictive -- here are the regexes used: http://code.google.com/p/web2py/source/browse/gluon/rewrite.py#51, http://code.google.com/p/web2py/source/browse/gluon/rewrite.py#575. In the LOAD() e