It could be a good idea to add a decorator to escape all requested variables to avoid xss no ?
Actually I do :
In controller :
xss = local_import('xss')
def new_widget():
can_modify()
# Xss
prevention
for req in request.vars:
request.vars[req] = xss.xssescape(request.vars[req])
[...]
In modules/xss.py :
http://pastie.org/1971510
