Bump. Should we replace str() with xmlescape() so Ajax flash messages get
escaped, just like regular flash messages and everything else in the view?
Anthony
On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
>
> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
>>
>> I do not understand what the problem with decodeURIComponent()?
>>
>
> When I tried trunk, I think there was a problem with the encoding of my
> controller file (ANSI instead of UTF-8) -- in that case, I guess
> urllib2.quote didn't yield the correct output for decodeURIComponent (same
> problem in the earlier version, when the escaping was done on the client
> side via the Javascript escape() function). Now it works.
>
> In any case, a remaining issue is that there's still no escaping of
> potentially dangerous content in the flash message. Everything written to
> HTML by web2py is typically escaped, including regular flash messages. The
> only content that isn't getting escaped are flash messages for Ajax
> components. To be consistent (and safe), we should probably escape those
> messages as well (you can always put them in an XML() if you don't want
> them escaped, as with any template content). In main.py, I replaced:
>
> urllib2.quote(str(response.flash).replace('\n',''))
>
> with:
>
> urllib2.quote(xmlescape(response.flash).replace('\n',''))
>
> With that change, the flash message still looks fine (see screenshot
> below).
>
> Anthony
>
>
> <https://lh3.googleusercontent.com/-Z8G64F_zCv4/UB3KLUoUcGI/AAAAAAAABK8/sO9okzpFtJ4/s1600/flash.png>
>
>
>
--
