> > I am looking how to escape particular items in html and want to know what > is actually being escaped. Is there a list on this page somewhere to show > me this? Is it somewhere else? >
Escaping is done via the Python cgi.escape function (which converts "&", "<", and ">" -- see http://docs.python.org/library/cgi.html#functions), plus additional escaping of single quotes. See http://code.google.com/p/web2py/source/browse/gluon/html.py#122. > Also, what do I do to define other things I wouldn't want the user writing? > I think the usual escaping should be safe, but it doesn't allow any HTML markup -- only text. If you want to allow some HTML but still try to keep it safe, you could do XML(potentially_unsafe_text, sanitize=True, permitted_tags=..., allowed_attributes=...) (see http://web2py.com/books/default/chapter/29/5#XML). Anthony
