Yeah, the search terms will be open to the public. But the search terms will be queried in the database using like() or contains() from the DAL. Will that be okay if those search terms are unsanitized?
On Monday, January 27, 2014 2:34:45 PM UTC-5, Anthony wrote: > > Is this just a search form making GET requests open to the public? In that > case, I don't think you need to worry about CSRF or input sanitizing. > > Anthony > > On Monday, January 27, 2014 2:16:04 PM UTC-5, Apple Mason wrote: >> >> If I manually create the raw html form and set the action attribute, how >> would I get csrf protection? SQLFORM would generate a token to handle this, >> but wouldn't I lack this protection is I write the html myself? Also, since >> there's no form.process().accepted, does this also mean I'm open to >> unsanitized input from the webuser? >> >> On Monday, January 27, 2014 1:11:27 PM UTC-5, Anthony wrote: >>> >>> You can set the "action" attribute of the form to the URL of your >>> searchbar() function (you might also change the method from post to get >>> since the form is for search). How you create the form itself in the view >>> depends on your needs. Do you just need a single text search field? What >>> does the search function do to return results? >>> >>> Anthony >>> >>> On Monday, January 27, 2014 1:02:03 PM UTC-5, Apple Mason wrote: >>>> >>>> I found this thread that has a similar problem: >>>> >>>> https://groups.google.com/forum/#!searchin/web2py/form$20in$20layout.html/web2py/JRxUYp_YpHk/4uVM7kg9Ja4J >>>> >>>> The example was: >>>> >>>> def contact(): >>>> form=SQLFORM.factory(....) >>>> if form.accepts(....) >>>> return form # not dict(form=form) >>>> >>>> and in layout.html >>>> >>>> {{=LOAD('default','contact')}} >>>> >>>> But in my case I would like to use {{=form.custom.begin}} and >>>> {{=form.custom.end}} to format the html in a certain way. How would this >>>> be >>>> possible? >>>> >>>> Also, is it possible to not use javascript to have a search form on >>>> every page? >>>> >>>> On Monday, January 27, 2014 12:20:50 AM UTC-5, Apple Mason wrote: >>>>> >>>>> Oh, it's probably because the url is /index.html and not >>>>> /searchform.html. >>>>> >>>>> In that case, how would I create a search form that is present >>>>> globally in the site? >>>>> >>>>> On Monday, January 27, 2014 12:04:43 AM UTC-5, Apple Mason wrote: >>>>>> >>>>>> My controller default.py: >>>>>> >>>>>> def searchbar: >>>>>> form = SQLFORM(....) >>>>>> >>>>>> return (form=form) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Monday, January 27, 2014 12:03:37 AM UTC-5, Apple Mason wrote: >>>>>>> >>>>>>> I have a search bar that I want to display on every page, but >>>>>>> something is not working. Here is an example of what I have: >>>>>>> >>>>>>> layout.html: >>>>>>> >>>>>>> <html> >>>>>>> <body> >>>>>>> >>>>>>> <div class="searchbar"> >>>>>>> {{include 'default/searchbar.html'}} >>>>>>> </div> >>>>>>> >>>>>>> <div class="main"></div> >>>>>>> </body> >>>>>>> </html> >>>>>>> >>>>>>> >>>>>>> >>>>>>> In default/searchbar.html: >>>>>>> >>>>>>> {{=form}} >>>>>>> >>>>>>> >>>>>>> >>>>>>> But web2py doesn't find the searchbar controller function. I get an >>>>>>> error: >>>>>>> >>>>>>> "NameError: name 'form' is not defined" >>>>>>> >>>>>>> >>>>>>> >>>>>>> because searchbar.html can't find {{=form}}. >>>>>>> >>>>>>> There have been some threads that use javascript for this, but I >>>>>>> don't want to use that. Is there a pure html solution for this? >>>>>>> >>>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
