Take a look at this for the explanation of _why_ you use escaping: http://en.wikipedia.org/wiki/Cross-site_scripting
On Sat, Dec 25, 2010 at 8:02 AM, Sahil Arora <[email protected]> wrote: > thanks > > On Sat, Dec 25, 2010 at 12:09 PM, Thadeus Burgess <[email protected]> > wrote: >> >> Escape will convert the text to html entities. For example, >> >> >>> x = "A 'quote' is <b>bold</b>" >> >>> print response.write(x, escape=True) >> A 'quote' is <b>bold</b> >> >> This protects your page from html injection hacks. If you need to display >> html from a variable and you know absolutely sure that it is safe, use >> >> {{=XML(x)}} >> >> Which also provides some helper methods to allow you to select "safe" tags >> without allowing everything. >> >> -- >> Thadeus >> >> >> >> >> On Fri, Dec 24, 2010 at 11:39 PM, Sahil Arora <[email protected]> >> wrote: >>> >>> I am asking what does escape=true does >>> >>> On Sat, Dec 25, 2010 at 11:02 AM, mdipierro <[email protected]> >>> wrote: >>>> >>>> {{=x}} >>>> >>>> is equivalent to >>>> >>>> {{response.write(x,escape=True)}} >>>> >>>> Did I answer the question? >>>> >>>> >>>> On Dec 24, 10:04 pm, Sahil Arora <[email protected]> wrote: >>>> > what do you mean by word 'escape' when we say escape = False >>>> > >>>> > or >>>> > in >>>> > {{=x}} >>>> > Variables injected into the HTML in this way are escaped by default. >>>> > The >>>> > escaping is ignored if x is an XML object, even if escape is set to >>>> > True. >>>> > >>>> > -- >>>> > Sahil Arora >>>> > B.Tech 2nd year >>>> > Computer Science and Engineering >>>> > IIT Delhi >>>> > Contact No: +91 9871491046 >>> >>> >>> -- >>> Sahil Arora >>> B.Tech 2nd year >>> Computer Science and Engineering >>> IIT Delhi >>> Contact No: +91 9871491046 >> > > > > -- > Sahil Arora > B.Tech 2nd year > Computer Science and Engineering > IIT Delhi > Contact No: +91 9871491046 > -- Branko Vukelic [email protected] http://www.brankovukelic.com/
