Thanks for your suggestions. Although nothing gets me the desired result. If I use urllib.quote or XML in the controller way too much gets escaped (all < and > signs, blanks, etc.) which is not what I want. And I'd have to do this for all attributes in every controller function.
My problem is exactly the same as in this stackoverflow question for django: https://stackoverflow.com/questions/14290517/safely-using-json-with-html-inside-of-the-json-in-django-templates in Django there seems to be an escapejs filter Then I found out that there is an ASSIGNJS helper in web2py which is actually exactly what I need. Therefor I could replace <script type="text/javascript"> var filterSettings = {{=XML(filter_settings)}}; </script> with <script type="text/javascript"> {{=ASSIGNJS(filterSettings=filter_settings)}}; </script> and expect everything to work fine and safe. Only to find out that this is vulnerable to the same exploit (at least in web2py 2.12.3). In case this still happens with the newest web2py version this is a major security flaw - if I'm not mistaken. I'll test this soon and then get back here. why we're still using such an old version? I waited very long until web2py was Python 3 ready because upgrading web2py in our production system involves a lot of work (update deployment process and all instances, lots of testing, etc.). Since we need to upgrade to Python 3 anyway we only want to upgrade once for now. On Tuesday, April 16, 2019 at 1:41:39 PM UTC+2, Leonel Câmara wrote: > > Another thing you can do is simply quote the name > > > import urllib > filter_settings = dict(name=urllib.quote(request.vars.name)) > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
