Hacker News new | ask | show | jobs
by pbronez 1183 days ago
Seems like that should just be a warning in the docs, since mostly we’re talking about trusted code written by the dev…. Although maybe that’s untrusted from your perspective as a PaaS?

What’s the escape hatch to write custom HTML in the Python source?
2 comments
ashishsingal 1183 days ago
there's "HTML (.add_html)" in the docs - "Renders raw HTML. This is meant to be an escape hatch for when you need to render something that isn't supported by PyVibe." I'm guessing this isn't sanitized and we trust the dev. After all, they can do "eval" in Python which is much riskier than raw HTML :)
link
akx 1182 days ago
All of the components support rendering arbitrary HTML, which is exactly the problem.
link
akx 1182 days ago
No escape hatch is required since nothing is escaped...
link