Some of the information here may be outdated, please check the book instead

If you're trying to use HTML data from a database or a variable, you'll need to use the XML() function.

There is an explanation from Massimo:

Let's assume you have the html data in a variable called x. When you print it in a view with

{{=a}} or {{=DIV(a)}} or {{=DIV(P(a))}} etc.

the content of a is automatically escaped to prevent XSS attackers. This is the by the book way to proceed. If you do not want to escape it you need to mark it with XML

{{=XML(a)}} or {{=DIV(XML(a))}} or {{=DIV(P(XML(a)))}} etc.

Kid in TurboGears does the same for the same reason. This is not the end of the story. By using XML you are allowing the html content to be displayed verbatim. Who creates that content? Do you trust that it does not contain harmful scripts for the viewers? If not you should sanitize it:


This will only allow safe tags and remove unsafe ones. You can also specify which tags should be allowed and which attributes for each tag:

                      'li', 'ol','ul', 'p','cite','code','pre','img/'],

Security is a major concern for web2py!

© 2008-2010 by Massimo Di Pierro - All rights reserved - Powered by web2py - design derived from a theme by the earlybird
The content of this book is released under the Artistic License 2.0 - Modified content cannot be reproduced.