On Monday, April 15, 2019 at 11:04:26 AM UTC-7, Alex wrote:
>
> thanks for your answer. Problem is when I use sanitize then the output is
> var filterSettings = {"section":
> "</script><iframe>;
>
> which is not valid js because the attribute quotes should not be escaped
>
> btw, I'm using web2py 2.12.3 - maybe that's fixed/improved in future
> versions? or am I doing something wrong?
>
> That's really old. Really, really old. And I feel guilty about using
2.14.6 at home.
How about applying the sanitize to request.vars.name.before making the
dict in your controller?
filter_settings = dict(name=XML(request.vars.name, sanitize=True))
/dps
On Monday, April 15, 2019 at 7:50:30 PM UTC+2, Leonel Câmara wrote:
>>
>> Change it to:
>>
>> <script type="text/javascript">
>> var filterSettings = {{=XML(filter_settings, sanitize=True)}};
>> </script>
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
