Should greeting.content = self.request.get('content') be escaped?

singh91digvijay / google-app-engine-samples

Automatically exported from code.google.com/p/google-app-engine-samples

0 stars 0 forks source link

Should greeting.content = self.request.get('content') be escaped? #59

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

Line 43 of guestbook5_datastore.py

greeting.content = self.request.get('content')

I guess it is better to have it escaped:

greeting.content = cgi.escape(self.request.get('content'))

Any suggestions? Correct me if I am wrong.

Original issue reported on code.google.com by raullenc...@gmail.com on 3 Feb 2012 at 2:01

GoogleCodeExporter commented 8 years ago

I had the same problem in the cccwiki.  Try using the autoescape in the 
template in the block...

{% autoescape off %}
  {{ content }}
{% endautoescape %}

Original comment by RichKH...@gmail.com on 17 Jan 2015 at 5:53