Hi Friend, try $:post.title
-- Leandro. On May 13, 4:51 pm, MLTrim <[email protected]> wrote: > Hi there > I'm reading the templating tutorial that says: > "Also, note that web.py automatically escapes any variables used here" > > Is it true also for web.py used with Google App Engine? > I'm currently testing it and It seems unescaped by default as I can > trigger javascript simply using: > > $post.title > > where post.title contains: > <script>alert('foo');</script> > > I've tried to add filter=websafe to this method: > render = web.template.render('app/views/', globals = global_template, > cache = True, base = 'base', filter=websafe) > but it does not work. > > Do I need to pass template.websafe as global, using it inside my > templates to escape every $ print? > > Thank you very much -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
