I do not understand what you are tryng to do. If the postid is already
in the URL (request.args(0)) why to you put it in the form?
My best guess is that you are trying to do this:
def view():
postid = request.args(0)
## post.body = post.body.replace("\n", "<br />") #### WARNING
db.comment.post.readable=False
db.comment.post.writaable=False
db.comment.post.default=postid
commentform = crud.create(db.comment)
return dict(post=post, commentform=commentform)
WARNING. The replace you are doing tells me you have XML(post.body) in
the view. IF this is the case your app has XSS vulnerability. Do not
do
{{=XML(post.body.replace("\n", "<br />"))}}
but do
{{=XML(post.body.replace("\n", "<br />"),sanitize=True)}}
or
{{from gluon.contrib.markdown import WIKI}}
{{=WIKI(post.body)}}
Massimo
On Dec 12, 6:22 pm, Mengu <[email protected]> wrote:
> so far, i have managed to do this:
>
> def view():
> postid = request.args(0)
> post = db(db.post.id == postid).select()[0]
> post.body = post.body.replace("\n", "<br />")
> commentform = crud.create(db.comment, onaccept=_setPostId)
> commentform[0].append(XML('<input type="hidden" name="post"
> value="'+postid+'" />'))
> return dict(post=post, commentform=commentform)
>
> def _setPostId(form):
> db(db.comment.id == form.vars.id).select()[0].update_record
> (post=request.vars.post)
>
> however as you can see, it sets the post for the comment after
> inserting the comment despite the fact that the hidden post field has
> a value inside the form which does not get posted. isn't this a bug? i
> also should note that post field is not readable and writable.
>
> thanks again.
--
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en.
