Hi there
I'm reading the templating tutorial that says:
"Also, note that web.py automatically escapes any variables used here"
Is it true also for web.py used with Google App Engine?
I'm currently testing it and It seems unescaped by default as I can
trigger javascript simply using:
$post.title
where post.title contains:
<script>alert('foo');</script>
I've tried to add filter=websafe to this method:
render = web.template.render('app/views/', globals = global_template,
cache = True, base = 'base', filter=websafe)
but it does not work.
Do I need to pass template.websafe as global, using it inside my
templates to escape every $ print?
Thank you very much
--
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/webpy?hl=en.
