def htmlFilter(request, d):
# note that spoofing __htmlfields doesn't help attacker get unsafe html in;
# we always call either clean() or escape().
try:
# don't use request['__htmlfields'], or you will recurse infinitely
toClean = request._post['__htmlfields'][0].split(',')
except KeyError:
toClean = []
for key in d:
if key in toClean:
d[key] = [Html.clean(s) for s in d[key]]
else:
d[key] = [Html.escape(s) for s in d[key]]
|