Not exactly a web2py issue, but related. I'm using the jQuery edit in place function http://code.google.com/p/jquery-in-place-editor/ along with a web2py backend. During testing I was able to simulate what I think is called an injection attack, by placing a <script>alert("hello world");</script> in the replacement string for the string being edited. Originally, I was just going to do db.mytable[mytable_id]={request.vars.element_id:request.vars.update_value} but this would have cemented the attack into my db. Instead, I'm thinking of doing db.mytable[mytable_id]={request.vars.element_id:XML(request.vars.update_value,sanitize=True)}
Is this the right way to clean the incoming text of any malicious attacks? Or is there a better method?
