form of escaping is context-dependent; Tornado’s templates are not aware of the syntax of HTML, JavaScript, etc, and so the template developer must sometimes explicitly apply the correct escaping function HTML body content (but not attribute values). In other cases, other functions should be used. In JavaScript, use the json_encode function, e.g. . json_encode used to escape strings, numbers, lists, and dicts. In this example, the JavaScript variable x will be the corresponding JavaScript 28 Chapter 6. DocumentationTornado Documentation, Release 6.5.1 type

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in Javascript or CSS, may need additional escaping. Additionally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in JavaScript or CSS, may need additional escaping. Additionally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in Javascript or CSS, may need additional escaping. Additionally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in Javascript or CSS, may need additional escaping. Additionally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in Javascript or CSS, may need additional escaping. Additionally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

form of escaping is context-dependent; Tornado’s templates are not aware of the syntax of HTML, JavaScript, etc, and so the template developer must sometimes explicitly apply the correct escaping function HTML body content (but not attribute values). In other cases, other functions should be used. In JavaScript, use the json_encode function, e.g. . json_encode used to escape strings, numbers, lists, and dicts. In this example, the JavaScript variable x will be the corresponding JavaScript type (string, number, array, or object), and not the JSON-encoded string

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in JavaScript or CSS, may need additional escaping. Addition- ally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in JavaScript or CSS, may need additional escaping. Addition- ally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):

vulnerabilities, it is not sufficient in all cases. Expressions that appear in certain locations, such as in JavaScript or CSS, may need additional escaping. Addition- ally, either care must be taken to always use double function calls to render components of your page, and they can come packaged with their own CSS and JavaScript. For example, if you are implementing a blog, and you want to have blog entries appear on both show_comments=True) %} Modules can include custom CSS and JavaScript functions by overriding the embedded_css, embedded_javascript, javascript_files, or css_files methods: class Entry(tornado.web.UIModule):