On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
>
> I do not understand what the problem with decodeURIComponent()?
>
When I tried trunk, I think there was a problem with the encoding of my
controller file (ANSI instead of UTF-8) -- in that case, I guess
urllib2.quote didn't yield the correct output for decodeURIComponent (same
problem in the earlier version, when the escaping was done on the client
side via the Javascript escape() function). Now it works.
In any case, a remaining issue is that there's still no escaping of
potentially dangerous content in the flash message. Everything written to
HTML by web2py is typically escaped, including regular flash messages. The
only content that isn't getting escaped are flash messages for Ajax
components. To be consistent (and safe), we should probably escape those
messages as well (you can always put them in an XML() if you don't want
them escaped, as with any template content). In main.py, I replaced:
urllib2.quote(str(response.flash).replace('\n',''))
with:
urllib2.quote(xmlescape(response.flash).replace('\n',''))
With that change, the flash message still looks fine (see screenshot below).
Anthony
<https://lh3.googleusercontent.com/-Z8G64F_zCv4/UB3KLUoUcGI/AAAAAAAABK8/sO9okzpFtJ4/s1600/flash.png>
--
