Would serialized HTML messages be escaped then ?
What if someone uses response.flash = A("Hello World", _href="#") ?
On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote:
>
> Bump. Should we replace str() with xmlescape() so Ajax flash messages get
> escaped, just like regular flash messages and everything else in the view?
>
> Anthony
>
> On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
>>
>> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
>>>
>>> I do not understand what the problem with decodeURIComponent()?
>>>
>>
>> When I tried trunk, I think there was a problem with the encoding of my
>> controller file (ANSI instead of UTF-8) -- in that case, I guess
>> urllib2.quote didn't yield the correct output for decodeURIComponent (same
>> problem in the earlier version, when the escaping was done on the client
>> side via the Javascript escape() function). Now it works.
>>
>> In any case, a remaining issue is that there's still no escaping of
>> potentially dangerous content in the flash message. Everything written to
>> HTML by web2py is typically escaped, including regular flash messages. The
>> only content that isn't getting escaped are flash messages for Ajax
>> components. To be consistent (and safe), we should probably escape those
>> messages as well (you can always put them in an XML() if you don't want
>> them escaped, as with any template content). In main.py, I replaced:
>>
>> urllib2.quote(str(response.flash).replace('\n',''))
>>
>> with:
>>
>> urllib2.quote(xmlescape(response.flash).replace('\n',''))
>>
>> With that change, the flash message still looks fine (see screenshot
>> below).
>>
>> Anthony
>>
>>
>> <https://lh3.googleusercontent.com/-Z8G64F_zCv4/UB3KLUoUcGI/AAAAAAAABK8/sO9okzpFtJ4/s1600/flash.png>
>>
>>
>>
--
