On Tuesday, April 16, 2019 at 8:03:55 AM UTC-7, Alex wrote:
>
> Thanks for your suggestions. Although nothing gets me the desired result.
> If I use urllib.quote or XML in the controller way too much gets escaped
> (all < and > signs, blanks, etc.) which is not what I want. And I'd have to
> do this for all attributes in every controller function.
>
> My problem is exactly the same as in this stackoverflow question for
> django:
>
> https://stackoverflow.com/questions/14290517/safely-using-json-with-html-inside-of-the-json-in-django-templates
> in Django there seems to be an escapejs filter
>
>
Did you look at XML's permittted_tags and allowed_attributes?
Then I found out that there is an ASSIGNJS helper in web2py which is
> actually exactly what I need. Therefor I could replace
>
> <script type="text/javascript">
> var filterSettings = {{=XML(filter_settings)}};
> </script>
>
> with
>
> <script type="text/javascript">
> {{=ASSIGNJS(filterSettings=filter_settings)}};
> </script>
>
> and expect everything to work fine and safe. Only to find out that this is
> vulnerable to the same exploit (at least in web2py 2.12.3). In case this
> still happens with the newest web2py version this is a major security flaw
> - if I'm not mistaken. I'll test this soon and then get back here.
>
> why we're still using such an old version? I waited very long until web2py
> was Python 3 ready because upgrading web2py in our production system
> involves a lot of work (update deployment process and all instances, lots
> of testing, etc.). Since we need to upgrade to Python 3 anyway we only want
> to upgrade once for now.
>
>
Goodness. I'm feeling guilty about using 2.15.4, which is 2 1/2 years
old. At home I still have 2.14.6 on Windows -- 3 years old, but I'm the
only user, and I do try out newer versions at times.
/dps
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
