On Sat, Apr 7, 2012 at 4:45 PM, Phil Charlesworth <[email protected]> wrote: > Peter, > Thanks for sorting out Pyjamas logging - a great improvement. One > point which I suggested during an earlier thread is still outstanding > however. > > Here is the code for ApendHandler.emit > > (pyjamas/library/pyjamas/logging/handlers.py, class AppendHandler) > def emit(self, record): > msg = self.format(record) > msg = msg.replace("\n", "<br/>\n") + "<br/>\n" > self.output += msg > self.__addLogElement() > DOM.setInnerHTML(self.div, self.output) > > The text in msg is going straight into DOM.setInnerHTML, so it had > better be legal HTML. You have recognised the need to convert line > terminators into break tags but I think you should also escape &, < and > >. This can be done very simply by adding > msg = cgi.escape(msg) > immediately before the line > msg = msg.replace("\n", "<br/>\n") + "<br/>\n"
ahh there's actually a function in __pyjamas__.py called unescape, it would be good to have a corresponding version escape, then have cgi call that. then it would not be necessary to import the entire cgi module. l.
