AlterEgo
old web2py blog
Useful Links
List all entries
Book
Interactive Examples
F.A.Q.
Free Applications
Plugins
Recipes
Demo of Admin Interface
Semantic web extension
Some of the information here may be outdated, please check the book instead
Edit page
Title:
Security Code:
Body:
(use
this
wiki markup)
If you're trying to use HTML data from a database or a variable, you'll need to use the XML() function. There is an explanation from Massimo: Let's assume you have the html data in a variable called x. When you print it in a view with {{=a}} or {{=DIV(a)}} or {{=DIV(P(a))}} etc. the content of a is automatically escaped to prevent XSS attackers. This is the by the book way to proceed. If you do not want to escape it you need to mark it with XML {{=XML(a)}} or {{=DIV(XML(a))}} or {{=DIV(P(XML(a)))}} etc. Kid in TurboGears does the same for the same reason. This is not the end of the story. By using XML you are allowing the html content to be displayed verbatim. Who creates that content? Do you trust that it does not contain harmful scripts for the viewers? If not you should sanitize it: {{=XML(a,sanitize=True)}} This will only allow safe tags and remove unsafe ones. You can also specify which tags should be allowed and which attributes for each tag: {{=XML(a,sanitize=False, permitted_tags=['a','b','blockquote','br/','i', 'li', 'ol','ul', 'p','cite','code','pre','img/'], allowed_attributes={'a':['href','title'], 'img':['src','alt'],'blockquote':['type']})}} Security is a major concern for web2py!
© 2008-2010 by Massimo Di Pierro - All rights reserved - Powered by
web2py
- design derived from a theme by
the earlybird
The content of this book is released under the
Artistic License 2.0
- Modified content cannot be reproduced.