Sorry. I misread your email.
Massimo
On Aug 4, 2012, at 10:53 AM, Anthony wrote:
> I see. I think the problem is only with response.flash within Ajax
> components. The message is escaped on the server via urllib2.quote, and then
> decoded in the browser via decodeURIComponent (see source code)
I think Anthony is right. His suggested fix is now in trunk. Give it a try.
On Sunday, 5 August 2012 23:21:53 UTC-5, Anthony wrote:
>
> With xmlescape, HTML helpers should still work fine -- xmlescape does not
> escape helpers, only the components within the helpers (I think it
> basically repli
With xmlescape, HTML helpers should still work fine -- xmlescape does not
escape helpers, only the components within the helpers (I think it
basically replicates the escaping behavior of web2py views):
>>> xmlescape(A("Hello World", _href="#"))
'Hello World'
However, with xmlescape, raw HTML wi
I think
response.flash = A("Hello World", _href="#")
should be allowed. It was always allowed. This is a backward compatibility
issue. Yet I see there is a potential security issue there.
I am not sure what the exact solution should be. Perhaps automatic sanitization
of flash messages befo
4 matches
Mail list logo
