What's the correct procedure here? Should I be entering a bug report into Launchpad?
Eddie On Jun 16, 5:34 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > hmmm. yes this is a bug with sanitize. > > On Jun 15, 8:50 pm, Eddie Eyles <ho...@heddonsgate.co.uk> wrote: > > > Thanks one and all for your suggestions - very useful. > > I'm not especially happy with the way sanitizer.sanitize behaves: > > * if you pass it <br> tags, it gives you <br/> tags [i.e. with no > > space before the /], which, although not illegal, are discouraged as > > against <br /> [with a space], for compatibility with older browsers; > > * if you pass it <br /> tags [i.e. with a space], it also gives you > > <br/> tags [with no space]; > > * if you pass it <br/> tags [i.e. with no space], it gives you the > > gobbledegook, for example: > > Hello Eddie<br/>Hello Martinhoe<br/>Hello World becomes: > > Hello Eddie<br/>>Hello Martinhoe<br</br>>Hello World > > > Does this mean there are problems with sanitize here? > > > Eddie > > > On Jun 15, 7:00 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > Yes, this is what you want: > > > > <td>{{=XML(row.basic.comments.replace('\n','<br>'),sanitize=True)}}</ > > > td> > > > > <br> is deprecated and it should be <br />, sanitize fixes it for you. > > > > You can also be more explicit > > > > <td>{{=XML(row.basic.comments.replace('\n','<br>'),permitted_tags= > > > ['br/'],sanitize=True)}}</td> > > > > so that only <br /> is un-escaped. > > > > Massimo > > > > On Jun 14, 8:56 pm, Eddie Eyles <ho...@heddonsgate.co.uk> wrote: > > > > > I'm retrieving data that may contain carriage returns, and I want to > > > > display this with these line breaks intact, i.e. I need to put either > > > > a '<br/>' or an HTML block element closure/opening in place of each > > > > carriage return. I have tried the following in the view: > > > > > <td>{{=row.basic.comments.replace('\n','<br/>')}}</td> > > > > -- this outputs '<br/>' instead of '<br/>', as you would expect > > > > > <td>{{=row.basic.comments.replace('\n',XML('<br/>'))}}</td> > > > > -- this generates an error 'expected a character buffer object' > > > > > <td>{{=XML(row.basic.comments.replace('\n','<br/>'))}}</td> > > > > -- this achieves what I want, but of course it also means the entire > > > > field is unescaped, leaving it vulnerable to XSS attack > > > > > <td>{{=XML(row.basic.comments.replace('\n','<br/>'),sanitize=True)}}</ > > > > td> > > > > -- this produces gobbledegook > > > > > <td>{{=XML(row.basic.comments.replace('\n','<br>'),sanitize=True)}}</ > > > > td> > > > > -- this seems to be just right (but strangely the expected '<br>' tags > > > > are converted to '<br/>') > > > > > Am I doing the right thing with my last effort? I am very new to both > > > > web2py and python. > > > > > Eddie --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---