diff options
| author | Chris McDonough <chrism@plope.com> | 2014-05-23 14:57:01 -0400 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2014-05-23 14:57:01 -0400 |
| commit | d76bdb514c92ee1fd9b1bd67387d15d34ea28bb3 (patch) | |
| tree | 36784e20002ecc4cb6675901b3cc2bda36e54caa /docs/quick_tour/views/views.py | |
| parent | 0c5bb0aa329239df877ccb053280e398766eb434 (diff) | |
| parent | c740e8bd20c049cbab43ce0a1cd5a4533fe6b849 (diff) | |
| download | pyramid-d76bdb514c92ee1fd9b1bd67387d15d34ea28bb3.tar.gz pyramid-d76bdb514c92ee1fd9b1bd67387d15d34ea28bb3.tar.bz2 pyramid-d76bdb514c92ee1fd9b1bd67387d15d34ea28bb3.zip | |
Merge branch 'master' of github.com:Pylons/pyramid
Diffstat (limited to 'docs/quick_tour/views/views.py')
| -rw-r--r-- | docs/quick_tour/views/views.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/quick_tour/views/views.py b/docs/quick_tour/views/views.py index 9dc795f14..1449cbb38 100644 --- a/docs/quick_tour/views/views.py +++ b/docs/quick_tour/views/views.py @@ -1,3 +1,5 @@ +import cgi + from pyramid.httpexceptions import HTTPFound from pyramid.response import Response from pyramid.view import view_config @@ -14,7 +16,8 @@ def home_view(request): def hello_view(request): name = request.params.get('name', 'No Name') body = '<p>Hi %s, this <a href="/goto">redirects</a></p>' - return Response(body % name) + # cgi.escape to prevent Cross-Site Scripting (XSS) [CWE 79] + return Response(body % cgi.escape(name)) # /goto which issues HTTP redirect to the last view @@ -23,7 +26,7 @@ def redirect_view(request): return HTTPFound(location="/problem") -# /problem which causes an site error +# /problem which causes a site error @view_config(route_name='exception') def exception_view(request): raise Exception() |