Script tag converts " into "
Quadrangle opened this issue · comments
I am really enjoying Dominate. Great job on this Team Knio!
I can use the script tag to refer to an external .js file and all works well.
But for a script tag in the head or body elements, sensitive characters are escaped. The script does not work.
Is there an immediate workaround, like injecting text?
I just changed double quotes (") to single quotes (') in the javascript and all works.
Hi, this is to prevent XSS attacks in case the content of tags is user-generated (and applies to all tags, not just <script>
). If you trust the content or it's just a static string, use the raw()
util to prevent escaping. e.g.:
from dominate.tags import *
from dominate.util import *
script(raw('''
alert("Hello World!");
'''))