On Wednesday, December 21, 2011 3:28:25 AM UTC-8, Marius Gedminas wrote: > > On Tue, Dec 20, 2011 at 09:07:58AM -0800, Wyatt Baldwin wrote: > > In an earlier version of my code, I did some dynamic JavaScript > > configuration using Mako constructs: > > > > # app.mako > > <script> > > % if something: > > // set some JS var > > % endif > > var x = '${some_var_from_view}'; > > var y = ${something_that_is_specific_to_this_request(request)}; > > </script> > > > > Now I do something like this: > > > > # helpers.py > > def get_js_config(request): > > config = { > > # whatever request-specific config you need > > } > > return literal(json.dumps(config)) > > > > # app.mako > > <script src="main.js"></src> ## Load main JS function > > <script> > > main(${h.get_js_config()}); > > </script> > > json.dumps() is insufficient quoting, if you're letting user-provided > content into your config dict. > > Consider what happens when it tries to quote a string containing > > "</script><script>alert('0wn y00');</script>" > In my case, there's no user-provided data, but that is a good point to bring up.
-- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To view this discussion on the web visit https://groups.google.com/d/msg/pylons-discuss/-/Z-gmSDU_56gJ. To post to this group, send email to pylons-discuss@googlegroups.com. To unsubscribe from this group, send email to pylons-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.