Mercurial > kallithea
diff development.ini @ 8069:4f03bd5ac2f2
lib: handle both HTML, unsafe strings, and exceptions passed to helpers.flash()
Before, h.flash would trust any input to contain html ... and callers would
convert exceptions to string, often with a simple str() or unicode() ... which
really didn't deserve to be trusted.
Instead, only trust messages that have a __html__ and escape anything else ...
but also apply str/unicode on the parameter so the caller doesn't have to but
*can* pass an exception directly.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 24 Dec 2019 04:13:48 +0100 |
parents | 3ea66ef563f2 |
children | 7c7d6b5c07c7 |