I guess the authors of RSS2 assume that there can valid HTML into the fields.
Yes this is bad. I think we should form RSS2 and sanitize the fields before making the RSS. Want to send me a patch? Massimo On Nov 24, 1:18 am, Thadeus Burgess <thade...@thadeusb.com> wrote: > No the escaping is not done in the RSS2 module, I checked. Firefox is > displaying the form and everything I posted as a comment.... bad bad bad! > > I fixed it by calling XML sanitize as I was looping through the rows. I do > think there should be a note about this? > > ... > description=XML(row.comment.content, sanitize=True, > permitted_tags=[]).xml(), > ... > > -Thadeus > > On Tue, Nov 24, 2009 at 12:47 AM, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > I think it does but not there. It calls gluon.serializers.rss which > > calls gluon.contrib.rss2.dumps. This is a standard python module for > > RSS. This module uses SAX for generating XML+RSS. > > > generic.rss does not escape because the data passed to it is already > > in XML. > > > The escaping should be done by the RSS2 module. Is it not? Are you > > having a problem with it? > > > Massimo > > > On Nov 24, 12:13 am, Thadeus Burgess <thade...@thadeusb.com> wrote: > > > Why does the generic.rss default to non-escaped output? > > > > -Thadeus > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
