Also, I think all the escaping is done by web2py's template engine, so you could avoid the escaping by skipping use of templates. To do that, have your controller action return a string of (unsafe) HTML instead of a dictionary of values to pass to a view -- the HTML string will be returned as the response to the browser without any sanitizing.
On Wednesday, June 29, 2011 10:47:06 PM UTC-4, Anthony wrote: > Anything you put inside XML() will not be escaped (unless you set its > sanitize argument to True). See > http://web2py.com/book/default/chapter/05#XML. > > Anthony > > On Wednesday, June 29, 2011 3:30:33 PM UTC-4, David Schoenheit wrote: > >> Hi, >> >> I am using web2py to write an intentionally vulnerable web app in >> order to demonstrate basic cross site request forgery and cross site >> scripting attacks for educational purposes. I'm running into some >> problems where web2py is automatically html encoding my output and >> preventing the intended attacks from working. Is there a way to >> disable data sanitization in web2py? >> >> Sorry if there is already a post on this subject, I searched for one >> and couldn't find anything. >> >> Thanks for any help you can provide. > >
