I think
response.flash = A("Hello World", _href="#")
should be allowed. It was always allowed. This is a backward compatibility
issue. Yet I see there is a potential security issue there.
I am not sure what the exact solution should be. Perhaps automatic sanitization
of flash messages before response?
response.flash = XML(str(response.flash), sanitize=True).xml()
On Aug 5, 2012, at 10:22 PM, Niphlod wrote:
> Would serialized HTML messages be escaped then ?
>
> What if someone uses response.flash = A("Hello World", _href="#") ?
>
> On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote:
> Bump. Should we replace str() with xmlescape() so Ajax flash messages get
> escaped, just like regular flash messages and everything else in the view?
>
> Anthony
>
> On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
> I do not understand what the problem with decodeURIComponent()?
>
> When I tried trunk, I think there was a problem with the encoding of my
> controller file (ANSI instead of UTF-8) -- in that case, I guess
> urllib2.quote didn't yield the correct output for decodeURIComponent (same
> problem in the earlier version, when the escaping was done on the client side
> via the Javascript escape() function). Now it works.
>
> In any case, a remaining issue is that there's still no escaping of
> potentially dangerous content in the flash message. Everything written to
> HTML by web2py is typically escaped, including regular flash messages. The
> only content that isn't getting escaped are flash messages for Ajax
> components. To be consistent (and safe), we should probably escape those
> messages as well (you can always put them in an XML() if you don't want them
> escaped, as with any template content). In main.py, I replaced:
>
> urllib2.quote(str(response.flash).replace('\n',''))
>
> with:
>
> urllib2.quote(xmlescape(response.flash).replace('\n',''))
>
> With that change, the flash message still looks fine (see screenshot below).
>
> Anthony
>
>
>
>
>
>
>
> --
> -- mail from:GoogleGroups "web2py-developers" mailing list
> make speech: [email protected]
> unsubscribe: [email protected]
> details : http://groups.google.com/group/web2py-developers
> the project: http://code.google.com/p/web2py/
> official : http://www.web2py.com/
>
>
--
