To my best of my knowledge, $: is useful to unescape. If you read carefully, it is not what I want.
Thanks anyway M. On May 14, 4:17 pm, ProfessionalIT <[email protected]> wrote: > Hi Friend, > > try $:post.title > > -- Leandro. > > On May 13, 4:51 pm, MLTrim <[email protected]> wrote: > > > Hi there > > I'm reading the templating tutorial that says: > > "Also, note that web.py automatically escapes any variables used here" > > > Is it true also for web.py used with Google App Engine? > > I'm currently testing it and It seems unescaped by default as I can > > trigger javascript simply using: > > > $post.title > > > where post.title contains: > > <script>alert('foo');</script> > > > I've tried to add filter=websafe to this method: > > render = web.template.render('app/views/', globals = global_template, > > cache = True, base = 'base', filter=websafe) > > but it does not work. > > > Do I need to pass template.websafe as global, using it inside my > > templates to escape every $ print? > > > Thank you very much > > -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
