subject:"Re\: \[web2py\] Re\: Security \- Escaping In Template Engine"

Re: [web2py] Re: Security - Escaping In Template Engine

2010-07-14 Thread Craig Younkins

I'm looking at xmlescape in html.py: http://code.google.com/p/web2py/source/browse/gluon/html.py?r=#96 cgi. escape(data, quote).replace("'","'") This looks good. I need to do some performance analysis of replace() to see if I can

Re: [web2py] Re: Security - Escaping In Template Engine

2010-07-14 Thread Craig Younkins

Yes, you can escape both a and b such that it works in either context. Reference rule #1 and #2 on http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content