>
> However,
>
> session.flash=XML('<a href="%s">click me</a>' % URL('index'))
>
> still renders to a string instead of html, feels like unexpected behavior
> to me.
>
It works with response.flash but not session.flash. This is because html.py
includes the following code:
### important to allow safe session.flash=T(....)
def XML_unpickle(data):
return marshal.loads(data)
def XML_pickle(data):
return XML_unpickle, (marshal.dumps(str(data)),)
copy_reg.pickle(XML, XML_pickle, XML_unpickle)
When session.flash is pickled, it extracts just the text value from XML(),
so when it is unpickled, all you have is the text, which gets escaped in
the view. I'm not sure why that's done, given that you can use XML() with
response.flash.
Anthony
--
