return locals() could also leak private data to the view. Typically not a
problem in HTML views as long as you are only including items explicitly,
but may be a problem for json and xml views. This is the reason we disabled
generic views by default (except on local requests) -- an attacker could
enter a .json or .xml extension for any given URL, and as long as there
wasn't a specific .json or .xml view for that URL, the generic view would
be used, which would spit out everything returned by the controller
function (including all fields returned in any database selects, even if
not intended for viewing, such as password hashes from the db.auth_user
table). So, generally safer to be explicit about what gets returned.
Anthony
On Wednesday, July 18, 2012 10:13:25 AM UTC-4, viniciusban wrote:
>
> We know locals() fits well in this situation.
>
> But I am working in a system develop returning locals() from all
> controllers. It's a pain to discover where things are defined and if a
> change in a controller (ie. killing some "unused" variables) will or not
> affect that view. Mainly the bigger ones.
>
> It's good to be explicit whenever possible.
>
> So, I wouldn't lay on returning locals() everywhere. I'd rather
> return(dict1=dict1, dict2=dict2, ...) in this simple situation with few
> variables.
>
> --
> Vinicius Assef
>
>
>
> On 07/17/2012 06:50 PM, adohertyd wrote:
> > Simple as that :) thanks Massimo Web2py is fantastic
> >
> > On Tuesday, 17 July 2012 22:45:48 UTC+1, Massimo Di Pierro wrote:
> >
> > replace
> >
> > return dict(ReturnedDict=OtherDict)
> >
> > with
> >
> > return locals()
> >
> > On Tuesday, 17 July 2012 16:40:00 UTC-5, adohertyd wrote:
> >
> > In my function page2(): I return a dictionary to be accessed by
> > the page2 HTML view. In the page2 function I have some other
> > dictionaries. What I want to do to be able to use the
> > non-returned dictionaries in the HTML code to show some items.
> > This is a sample of what I want: Hope it's clear
> >
> > |
> > defpage2():
> >
> >
> > Dict1={key1:{keyA:value,keyB:value,keyC:value}
> > Dict2={key2:{keyD:value,keyE:value,keyF:value}
> >
> > OtherDict={key:value,key:value...}
> >
> > returndict(ReturnedDict=OtherDict)
> > |
> >
> >
> > |
> > page2.html:
> >
> >
> > <ul>
> > {{forx inReturnedDict:}}
> > {{ifx inDict1:}}
> > <li>{{=Dict1[x]['keyA']}}{{=Dict1[x]['keyB']</li>
> > {{elifx inDict2:}}
> > <li>{{=Dict2[x]['keyD']}}{{=Dict2[x]['keyE']</li>
> > {{pass}}
> > </ul>
> > |
> >
> >
> > --
> >
> >
> >
>
>
--
