I guess the authors of RSS2 assume that there can valid HTML into the fields.
Yes this is bad. I think we should form RSS2 and sanitize the fields before making the RSS. Want to send me a patch? Massimo On Nov 24, 1:18 am, Thadeus Burgess <[email protected]> wrote: > No the escaping is not done in the RSS2 module, I checked. Firefox is > displaying the form and everything I posted as a comment.... bad bad bad! > > I fixed it by calling XML sanitize as I was looping through the rows. I do > think there should be a note about this? > > ... > description=XML(row.comment.content, sanitize=True, > permitted_tags=[]).xml(), > ... > > -Thadeus > > On Tue, Nov 24, 2009 at 12:47 AM, mdipierro <[email protected]> wrote: > > > I think it does but not there. It calls gluon.serializers.rss which > > calls gluon.contrib.rss2.dumps. This is a standard python module for > > RSS. This module uses SAX for generating XML+RSS. > > > generic.rss does not escape because the data passed to it is already > > in XML. > > > The escaping should be done by the RSS2 module. Is it not? Are you > > having a problem with it? > > > Massimo > > > On Nov 24, 12:13 am, Thadeus Burgess <[email protected]> wrote: > > > Why does the generic.rss default to non-escaped output? > > > > -Thadeus > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
