On Monday, April 15, 2019 at 11:45:06 PM UTC-7, Dave S wrote:
>
> On Monday, April 15, 2019 at 11:04:26 AM UTC-7, Alex wrote:
>>
>> thanks for your answer. Problem is when I use sanitize then the output is
>> var filterSettings = {"section":
>> "</script><iframe>;
>>
>> which is not valid js because the attribute quotes should not be escaped
>>
>> btw, I'm using web2py 2.12.3 - maybe that's fixed/improved in future
>> versions? or am I doing something wrong?
>>
>> That's really old. Really, really old. And I feel guilty about using
> 2.14.6 at home.
>
> How about applying the sanitize to request.vars.name.before making the
> dict in your controller?
>
> filter_settings = dict(name=XML(request.vars.name, sanitize=True))
>
>
> You could also look at the parameters permitted_tags and
allowed_attributes .
/dps
> On Monday, April 15, 2019 at 7:50:30 PM UTC+2, Leonel Câmara wrote:
>>>
>>> Change it to:
>>>
>>> <script type="text/javascript">
>>> var filterSettings = {{=XML(filter_settings, sanitize=True)}};
>>> </script>
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
