Simon Willison wrote:
>
> I had the chance to chat with Rasmus Lerdorf a few weeks ago, and one
> of the topics that came up was input filtering for web application
> security. Rasmus knows a heck of a lot about this stuff (don't let
> PHP's past mistakes let you think otherwise) and described the
> following scheme which I think Django could make good use of.
>
> Basically, instead of accessing data from GET and POST directly,
> applications use utility functions that filter depending on what the
> application is asking for. Say you want to get an integer that someone
> has entered. In current Django, you might do this:
>
> a = int(request.GET['a'])
>
> With smart input filtering, you would do something like this instead:
>
> a = request.GET.as_int('a')
>
> Functions like this can be created for all kinds of data. Here are a
> few examples off the top of my head:
>
> a = request.GET.as_email('email')
> a = request.GET.as_float('f')
> a = request.GET.as_safe_html('body')
>
Sounds interesting - I'm wondering how this would interact with the
get_list thing in MultiValueDict ... not sure we want a duplicate for a
list of every type.
Also, do we just pick a bunch of things this works for, or is it
extensible?
