Hi Adam, A good question which probably warrants further discussion. As far as Arches v3 goes, there are some gaps related to the crsf_exempt decorator that will be closed in v4. For the most part we use the ORM and should be protected against SQL injection. Most of our data comes in as JSON strings and is never rendered as html so we should be safe there. As far as the "|safe" filter is concerned we only use those on instances where we use summer node for html descriptions and that data get's escaped by the summer note widget (although it looks like someone, an authenticated user mind you, could use the dev tools to bypass that). Hope that helps a little. Cheers, Alexei
Director of Web Development - Farallon Geographics, Inc. - 971.227.3173 On Mon, Apr 11, 2016 at 9:46 AM, Adam Cox <[email protected]> wrote: > EDIT: I mistakenly pasted the wrong link... This is what meant to > reference: > http://security.stackexchange.com/questions/27805/is-djangos-built-in-security-enough > Sorry for the confusion. > > On Mon, Apr 11, 2016 at 10:43 AM, Adam Cox <[email protected]> wrote: > >> Hello, I'm anticipating security-related questions, and I was looking >> into what people have to say about Django generally. I'm wondering if an >> Arches developer can comment on the subjects raised in this thread: >> https://groups.google.com/forum/#!topic/archesproject/sXu6qpMuoAs, >> regarding SQL Injection, CRSF, and XSS attacks. I've noticed a couple of >> specific things--that a number of model functions have the crsf_exempt >> decorator, and that the "|safe" filter is used in the report templates, for >> example--but I would appreciate a general rundown of how Arches is a secure >> Django application. >> >> Thanks, >> Adam >> >> -- >> -- To post, send email to [email protected]. To >> unsubscribe, send email to [email protected]. >> For more information, visit >> https://groups.google.com/d/forum/archesproject?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Arches Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > -- To post, send email to [email protected]. To unsubscribe, > send email to [email protected]. For more > information, visit https://groups.google.com/d/forum/archesproject?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Arches Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
