On Wednesday, December 21, 2011 3:28:25 AM UTC-8, Marius Gedminas wrote:
>
> On Tue, Dec 20, 2011 at 09:07:58AM -0800, Wyatt Baldwin wrote:
> > In an earlier version of my code, I did some dynamic JavaScript
> > configuration using Mako constructs:
> >
> > # app.mako
> > <script>
> > % if something:
> > // set some JS var
> > % endif
> > var x = '${some_var_from_view}';
> > var y = ${something_that_is_specific_to_this_request(request)};
> > </script>
> >
> > Now I do something like this:
> >
> > # helpers.py
> > def get_js_config(request):
> > config = {
> > # whatever request-specific config you need
> > }
> > return literal(json.dumps(config))
> >
> > # app.mako
> > <script src="main.js"></src> ## Load main JS function
> > <script>
> > main(${h.get_js_config()});
> > </script>
>
> json.dumps() is insufficient quoting, if you're letting user-provided
> content into your config dict.
>
> Consider what happens when it tries to quote a string containing
>
> "</script><script>alert('0wn y00');</script>"
>
In my case, there's no user-provided data, but that is a good point to
bring up.
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/pylons-discuss/-/Z-gmSDU_56gJ.
To post to this group, send email to pylons-discuss@googlegroups.com.
To unsubscribe from this group, send email to
pylons-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en.
