i agree that if the data is from user input you want to make sure it is
escaped. the JSON might work for you. one tip - if you are using
python 2.7 it comes with a json lib (import json) that is written in c
and probably faster then simplejson.
cfh
On 9/26/13 14:37 , User wrote:
Looking online people seem to suggest json encoding. So what I'm doing now
is
def view():
import gluon.contrib.simplejson.encoder
myobject = db(db.objects.id == request.args(0)).select().first()
myobject.nameJson = gluon.contrib.simplejson.encoder.encode_basestring(
myobject.name)
return dict(myobject=myobject)
(Not sure if that's the correction json method to use) And then in the view
using XML as suggested by Christian. This seems to properly escape
embedded quotes. However as I am new to web2py I would appreciate others
input about the correctness of this.
On Thursday, September 26, 2013 5:14:40 PM UTC-4, User wrote:
Yes I by viewing source I could see that generated javascript string had
the character entity in it, so I knew the question was how to get web2py to
output it correctly. Using XML works! thank you. By using XML the
generated string becomes "John's Place"
My next question is why? And is it still safe from user injected code? At
first glance it looks like someone could possibly inject something (
myobject.name ultimately comes from user input). Maybe I can just strip
out double quotes to make sure they can't close the string?
On Thursday, September 26, 2013 12:02:55 PM UTC-4, Christian Foster Howes
wrote:
can you use an inspector to see the actual generated javascript? it's
possible that web2py is escaping the apostrophe. you can try {{=XML(
myobject.name)}}
On Tuesday, September 24, 2013 5:26:29 PM UTC-7, User wrote:
I'm using the google map javascript api (v3). I have a google map in one
of my views. I want to display the location name as the marker title (used
when hovering over the marker). I'm using the following code in my view:
{{block head}}
<script type="text/javascript">
function init_map() {
var myLatlng = new google.maps.LatLng({{=myobject.lat}}, {{=
myobject.lng}});
var mapOptions = {
center: myLatlng,
zoom: 12,
mapTypeId: google.maps.MapTypeId.ROADMAP
};
var map = new google.maps.Map(document.getElementById(
"map-canvas"),
mapOptions);
var marker = new google.maps.Marker({
position: myLatlng,
map: map,
title: "{{=myobject.name}}"
});
}
google.maps.event.addDomListener(window, 'load', init_map);
</script>
{{end}}
This works to output a map but when I mouse over the marker, the
character encoding is not right. For example, if myobject.namecontains the string
"John's Place" then the marker tooltip will literally
display "John's Place" (that is, with the ampersand and hash). How
can I get it to display the string as "John's Place" in a web safe manner?
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
