[web2py] Re: Recent change to string escaping breaks dynamic javascript

mr.freeze Fri, 23 Jul 2010 10:56:23 -0700

It was probably introduced as a security fix. You can do:
{{
schartoptions = XML("""{
    type: 'bar',
    barColor: 'green',
    chartRangeMin: '%d',
    chartRangeMax: '%d'
    }
    """%(chartmin,chartmax))
}}


and it won't be escaped.


On Jul 23, 12:39 pm, Michael Ellis <[email protected]> wrote:
> I've got an app with views that generate jQuery code on the fly.  This was
> all working fine until recently, i.e. sometime after 1.92.  With more recent
> builds, single and double quotes in strings are now escaped and it breaks
> the javascript.   Here's an example
>
> The view has (with much snipped out):
>
> {{
> schartoptions = """{
>     type: 'bar',
>     barColor: 'green',
>     chartRangeMin: '%d',
>     chartRangeMax: '%d'
>     }
>     """%(chartmin,chartmax)
>
> }}
>
> and later on I use the variables within a script tag, e.g.
>
> <script type="text/javascript">
>     /* <![CDATA[ */
>     $("#{{=ks+kc}}").sparkline(data.wsc.{{=ks}}.{{=kc}}, {{=schartoptions}}
> </script>
>
> With an earlier web2py, it produces the desired result,
>
> $("#solution0").sparkline(data.s.solution0, {
>     type: 'bar',
>     barColor: 'green',
>     chartRangeMin: '0',
>     chartRangeMax: '1'
>     }
>     );
>
> but now (at tip) I get
>
> $("#solution0").sparkline(data.s.solution0, {
>     type: &#x27;bar&#x27;,
>     barColor: &#x27;green&#x27;,
>     chartRangeMin: &#x27;0&#x27;,
>     chartRangeMax: &#x27;1&#x27;
>     }
> );
>
> Was this change intentional?  If so, what's the recommended workaround?
>
> Thanks,
> Mike

[web2py] Re: Recent change to string escaping breaks dynamic javascript

Reply via email to