Anything you put inside XML() will not be escaped (unless you set its sanitize argument to True). See http://web2py.com/book/default/chapter/05#XML. Anthony
On Wednesday, June 29, 2011 3:30:33 PM UTC-4, David Schoenheit wrote: > Hi, > > I am using web2py to write an intentionally vulnerable web app in > order to demonstrate basic cross site request forgery and cross site > scripting attacks for educational purposes. I'm running into some > problems where web2py is automatically html encoding my output and > preventing the intended attacks from working. Is there a way to > disable data sanitization in web2py? > > Sorry if there is already a post on this subject, I searched for one > and couldn't find anything. > > Thanks for any help you can provide.
