It is been escaped while in this context should not be escaped. Use:
ajax("{{=XML(URL(c='my_controller', f='do_something',
vars=dict(x=session.x, y=session.y), user_signature=True))}}", [], ":eval");
On Thursday, 7 March 2013 22:22:17 UTC-6, weheh wrote:
>
> For extra security I'm adding user_signature=True to a critical ajax
> calls, but it isn't working for me. In my view, I have the following call
> after the page is created:
>
> ajax("{{= URL(c='my_controller', f='do_something',
> vars=dict(x=session.x, y=session.y), user_signature=True)}}", [], ":eval"
> );
>
>
>
> Then in the controller:
>
> def do_something():
> if not URL.verify(request):
> raise HTTP(403)
> ...
>
> This always raises HTTP(403) regardless of whether or not I'm logged in.
>
> I've traced through gluon's html.py function. One thing that looks awfully
> suspicious is that the "vars" variable is getting evaluated with an extra
> item that looks like this:
>
> 'amp': ['','','']
>
> Somehow, it's looking at the & separator and parsing it into a
> variable instead of a variable separator in a url, such as:
>
> http://my_domain.com/my_controller/do_something?x=1&y=2&_signature=1f1d8d6eb7e2e98712023d8e2f3a38ee3dbe6466<http://my_domain.com/my_controller/do_something?x=1&y=2&_signature=1f1d8d6eb7e2e98712023d8e2f3a38ee3dbe6466>
>
> Am I doing something wrong here, or is this a bug?
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
