So this:
xss.xssescape(text)
would be the same as
str(XML(text))
or
from gluon import xmlescape
xmlescape(text)
On May 25, 10:20 am, Alexandre Strzelewicz
<strzelewicz.alexan...@gmail.com> wrote:
> For ajax queries
>
> On May 25, 4:58 pm, Anthony <abasta...@gmail.com> wrote:
>
>
>
>
>
>
>
> > By default, web2py already escapes all variables rendered in views to
> > prevent XSS -- what additional protection does this provide?
>
> > On Wednesday, May 25, 2011 10:32:30 AM UTC-4, Alexandre Strzelewicz wrote:
> > > It could be a good idea to add a decorator to escape all requested
> > > variables to avoid xss no ?
>
> > > Actually I do :
>
> > > In controller :
>
> > > xss = local_import('xss')
>
> > > def new_widget():
> > > can_modify()
> > > # Xss
> > > prevention
> > > for req in request.vars:
> > > request.vars[req] = xss.xssescape(request.vars[req])
> > > [...]
>
> > > In modules/xss.py :
>
> > >http://pastie.org/1971510
