1. Ben Bangert
  2. WebHelpers


slug...@gmail.com  committed 3eec35b


  • Participants
  • Parent commits 527e244
  • Branches trunk

Comments (0)

Files changed (4)

File docs/_templates/index.html

View file
  • Ignore whitespace
 <p>WebHelpers is a wide variety of utility functions for web applications and
 other applications. It can be used with any web framework.  <strong>Version
-1.1</strong> was released 2009-08-09.  See <a href="whats_new.html">What's
+1.2</strong> was released 2010-08-XX.  See <a href="{{ pathto('whats_new') }}">What's
 New</a> for a list of changes and upgrading hints.  (The helpers
 deprecated in 0.6 are removed in 1.0, including the entire rails suite.)</p>
+<p><strong>Security update in version 1.2:</strong> addresses a potential XSS
+attack; all users are recommended to upgrade. More in
+<a href="{{ pathto('whats_new') }}">What's New</a>.</p>
 <p>WebHelpers includes the widely-used HTML tag builder with smart escaping and
 convenience functions for common tags such as form fields. The common builder
 ensures the tags are syntactically correct and prevent cross-site scripting
 types, including a value counter and accumulator.  There are lists of country
 names, country codes, US states, Canadian provinces, and UK counties.</p>
-<p>WebHelpers is pure Python and has no dependencies.  However, a few
-helpers depend on 
+<p>WebHelpers itself depends only on MarkupSafe, which has an optional C
+speedup for HTML escaping. However, a few individual helpers depend on 
 <a href="http://routes.groovie.org/">Routes</a>, 
 <a href="http://python.org/pypi/Unidecode/">unidecode</a>, 
 <a href="http://pythonpaste.org/webob/">WebOb</a>, or

File docs/whats_new.rst

View file
  • Ignore whitespace
 *webhelpers.html*: The HTML builder now uses Armin Ronacher's
 "MarkupSafe" package, which Mako and Pylons have also switched to.  MarkupSafe
-has a C speedup for escaping, escapes single-quotes for greater security, and
-adds new methods to ``literal``.
+has a C speedup for escaping, escapes single-quotes for greater security (to
+close a potential XSS attack route), and adds new methods to ``literal``.
 * **literal** is now a subclass of ``markupsafe.Markup``

File requirements.txt

View file
  • Ignore whitespace
 # Pip requirements to build WebHelpers documentation and run tests.
 # Required for tests

File webhelpers/html/builder.py

View file
  • Ignore whitespace
 WebHelpers 1.2 uses MarkupSafe, a package which provides an enhanced
 implementation of this protocol. Mako and Pylons have also switched to
-MarkupSafe. MarkupSafe advantages are a C speedup for escaping,
+MarkupSafe. Its advantages are a C speedup for escaping,
 escaping single-quotes for security, and adding new methods to
 ``literal``. **literal** is now a subclass of ``markupsafe.Markup``.
 **escape** is ``markupsafe.escape_silent``. (The latter does not exist yet in