I tryed to simpllfy my code to post it here, so in a controller:
def simpletest():
#table definition
db.define_table('t_simple_test',
Field('f_form', type='text',
label=T('Form'),
comment=T('Write anything here')))
#form definition
questionid = 0
if request.args(0):
questionid = request.args(0)
record = db.t_simple_test(questionid)
if not record:
session.flash = T("Unknown form %s") % questionid
redirect(URL('index'))
logger.info("Editing form %s" % questionid)
form = SQLFORM(db.t_simple_test, record, deletable=True)
else:
logger.info("Editing new form")
form = SQLFORM(db.t_simple_test)
if form.accepts(request.vars, session):
response.flash = T("Form saved.")
if not questionid:#first save
session.flash = response.flash
redirect(URL('simpletest',args=[form.vars.id]))
elif form.errors:
response.flash = T("Form in error.")
return dict(form=form,questionid=questionid)
(I know I should avoid to define a table in the controller, but I moved the
definition here in order not to mess with the rest of my code.)
But using the form generated by this controller, I cannot reproduce my
problem. :-(
In my other controller functions where I reproduce the problem, I just do
some other things after the form.accepts() (because I added more things in
my form in the view), but I do not change the content of the submitted form.
Even in the views I do not check nor rewrite the content of standard form
fields... I will investigate more and replace escaped characters by the
non-escaped ones for the moment.
I know the content written to a page is escaped, so I use XML(form) to keep
HTML content. But only selected people can write such content, general
users only see the displayed HTML :-)
Thank you Anthony !
Le vendredi 25 mai 2012 15:11:33 UTC+2, Anthony a écrit :
>
> Can you post some code? Using your own SQLFORM will produce the same
> results as appadmin when creating and editing a record (appadmin also uses
> SQLFORM).
>
> Note, by default, any content you write directly to the page in the view
> is escaped, so any HTML tags will be escaped and displayed as literals
> rather than interpreted as HTML. To prevent content from being escaped, you
> have to wrap it in XML() (see
> http://web2py.com/books/default/chapter/29/5#XML). Be careful about that
> -- if you fail to escape content submitted by general users, you'll have a
> cross-site scripting vulnerability (
> http://en.wikipedia.org/wiki/Cross-site_scripting).
>
> Anthony
>
> On Friday, May 25, 2012 4:35:30 AM UTC-4, Cédric Mayer wrote:
>>
>> Hello !
>> I have a table with "text" fields:
>> Field('f_comments', type='text',
>> label=T('Comment')),
>> or even:
>> Field('f_form', type='text',
>> label=T('Form'), comment=T('Please write HTML here')),
>> Using appadmin interface, if I use an apostrophe " ' " inside the
>> textarea fields and submit the record form, the apostrophe saved, and if I
>> display the appadmin form for the same record again, they are displayed
>> inside the textarea fields.
>>
>> But creating my own form:
>> form = SQLFORM(db.t_question, record, deletable=True)
>> apostrophes " ' " do not appear anymore.
>>
>> I did some copy-paste of what was inside my own textarea to an
>> hexadecimal editor, and the apostrophe are replaced with the # 27 (hexa 1B)
>> character in the case of my own form.
>>
>> If I save the form as-is, this 1B character is saved too, and so the
>> apostrophe disappears also if I look to the record from the appadmin
>> interface.
>>
>> It is really anoying as I use the content of the fields as pure HTML
>> afterwards : not having apostrophes leads to errors if I try to have some
>> Javascript in those fields.
>>
>> 1) What is the difference between the form generated in appadmin, and the
>> one generated by SQLFORM ?
>> 2) Is there a way not to escape " ' " in text fields ?
>>
>
