By default, web2py already escapes all variables rendered in views to
prevent XSS -- what additional protection does this provide?
On Wednesday, May 25, 2011 10:32:30 AM UTC-4, Alexandre Strzelewicz wrote:
> It could be a good idea to add a decorator to escape all requested
> variables to avoid xss no ?
>
> Actually I do :
>
> In controller :
>
> xss = local_import('xss')
>
> def new_widget():
> can_modify()
> # Xss
> prevention
> for req in request.vars:
> request.vars[req] = xss.xssescape(request.vars[req])
> [...]
>
> In modules/xss.py :
>
> http://pastie.org/1971510
>
