[mod_python] Sanitizing user input... but not totally.

Deron Meranda deron.meranda at gmail.com
Tue Nov 22 17:07:29 EST 2005

On 11/22/05, Jorey Bump <list at joreybump.com> wrote:
> But you will still need to use
> something like cgi.escape() when pulling strings from the db and
> printing them to a browser.

Remember when using cgi.escape that if you're writing something
to an element attribute (anything inside a tag, between < and >)
you should call it via cgi.escape(string,True), not just cgi.escape(string).

If you use Myghty's m.apply_escape(), it is already always safe
whether in an attribute or just normal content.

Also remember the Myghty escape type 'x' can be used for
any XML document, whereas 'h' should only be used for HTML.
Deron Meranda

More information about the Mod_python mailing list