fixed with webpy 0.35 thanks
On May 14, 6:00 pm, MLTrim <[email protected]> wrote: > To my best of my knowledge, $: is useful to unescape. > If you read carefully, it is not what I want. > > Thanks anyway > M. > > On May 14, 4:17 pm, ProfessionalIT <[email protected]> wrote: > > > Hi Friend, > > > try $:post.title > > > -- Leandro. > > > On May 13, 4:51 pm, MLTrim <[email protected]> wrote: > > > > Hi there > > > I'm reading the templating tutorial that says: > > > "Also, note that web.py automatically escapes any variables used here" > > > > Is it true also for web.py used with Google App Engine? > > > I'm currently testing it and It seems unescaped by default as I can > > > trigger javascript simply using: > > > > $post.title > > > > where post.title contains: > > > <script>alert('foo');</script> > > > > I've tried to add filter=websafe to this method: > > > render = web.template.render('app/views/', globals = global_template, > > > cache = True, base = 'base', filter=websafe) > > > but it does not work. > > > > Do I need to pass template.websafe as global, using it inside my > > > templates to escape every $ print? > > > > Thank you very much > > -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
