diff options
| author | Michael Merickel <michael@merickel.org> | 2014-08-06 11:59:45 -0500 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2014-08-06 11:59:45 -0500 |
| commit | 9279468d0e4d411652a735e28839bd8a5504ced6 (patch) | |
| tree | 580c1efc1044325a20a242a212d647b81cde6088 /docs/quick_tour/views | |
| parent | 407b335ed9954c042377fd2e060c36edcd07cf60 (diff) | |
| parent | 3587a53dc28b8f6411816ccd7fd8fdee0d88acb4 (diff) | |
| download | pyramid-9279468d0e4d411652a735e28839bd8a5504ced6.tar.gz pyramid-9279468d0e4d411652a735e28839bd8a5504ced6.tar.bz2 pyramid-9279468d0e4d411652a735e28839bd8a5504ced6.zip | |
Merge branch 'master' into feature.override-asset-with-absolute-path
Diffstat (limited to 'docs/quick_tour/views')
| -rw-r--r-- | docs/quick_tour/views/views.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/quick_tour/views/views.py b/docs/quick_tour/views/views.py index 9dc795f14..1449cbb38 100644 --- a/docs/quick_tour/views/views.py +++ b/docs/quick_tour/views/views.py @@ -1,3 +1,5 @@ +import cgi + from pyramid.httpexceptions import HTTPFound from pyramid.response import Response from pyramid.view import view_config @@ -14,7 +16,8 @@ def home_view(request): def hello_view(request): name = request.params.get('name', 'No Name') body = '<p>Hi %s, this <a href="/goto">redirects</a></p>' - return Response(body % name) + # cgi.escape to prevent Cross-Site Scripting (XSS) [CWE 79] + return Response(body % cgi.escape(name)) # /goto which issues HTTP redirect to the last view @@ -23,7 +26,7 @@ def redirect_view(request): return HTTPFound(location="/problem") -# /problem which causes an site error +# /problem which causes a site error @view_config(route_name='exception') def exception_view(request): raise Exception() |