Anytime that you use {{=var}} in a view, the "var" or whatever it is you are
injecting into the HTML is automatically escaped to prevent injection
attacks. If you wanted to pass in some pre-formatted HTML, you would have to
specifically wrap it in an XML() object for it to display properly,
bypassing the escaping done by web2py.
- [web2py] XSRF attacks Carl
- [web2py] Re: XSRF attacks Anthony
- [web2py] Re: XSRF attacks Anthony
- Re: [web2py] Re: XSRF attacks Carl Roach
- Re: [web2py] Re: XSRF attacks Carl Roach
- Re: [web2py] Re: XSRF attacks Ross Peoples
- [web2py] Re: XSRF attacks Massimo Di Pierro
- Re: [web2py] Re: XSRF attacks Anthony
- Re: [web2py] Re: XSRF attacks Carl Roach
- Re: [web2py] Re: XSRF attacks Anthony
- Re: [web2py] XSRF attacks David J
