In your controllers in the first place, wouldn't another mitigation be
to code defensively by taking request.vars and validating it in the
first place??? Following that policy and then formatting your response
is a way to avoid the problem.
Definitely don't seem like a good idea to be doing:
def action():
return response.vars.whatever
in the first place, especially so in an AJAX query.
On May 25, 10:20 am, Alexandre Strzelewicz
<strzelewicz.alexan...@gmail.com> wrote:
> For ajax queries
>
> On May 25, 4:58 pm, Anthony <abasta...@gmail.com> wrote:
>
>
>
> > By default, web2py already escapes all variables rendered in views to
> > prevent XSS -- what additional protection does this provide?
>
> > On Wednesday, May 25, 2011 10:32:30 AM UTC-4, Alexandre Strzelewicz wrote:
> > > It could be a good idea to add a decorator to escape all requested
> > > variables to avoid xss no ?
>
> > > Actually I do :
>
> > > In controller :
>
> > > xss = local_import('xss')
>
> > > def new_widget():
> > > can_modify()
> > > # Xss
> > > prevention
> > > for req in request.vars:
> > > request.vars[req] = xss.xssescape(request.vars[req])
> > > [...]
>
> > > In modules/xss.py :
>
> > >http://pastie.org/1971510
