the idea of it being in the model was more along the lines of validating
incoming data than it was munging outgoing. html is almost always
either acceptable or it's not in a given field. (per your example: who
want's arbitrary HTML allowed in a plain text email and not in a web
page?)
but i still argue that no implicit magic munging happen anywhere. it's
not that hard to get into safe-from-XSS coding styles. we did it for
sql injection, didn't we? :)
however, i would much rather have a flag/tag at the top of my template
than a global default based on template file type.
Simon Willison wrote:
> On 14 Jun 2006, at 14:44, Derek Anderson wrote:
>
>> the problem is that there are multiple types of escaping. sql? html?
>> javascript? new-web-tech-of-the-day? do you escape them all, or
>> just some?
>>
>> personally, i don't like my framework to auto-munge my data behind my
>> back. esp. in ways that are not clearly defined and could change on a
>> whim. too many potential secondary effects. plus it stinks to me
>> of a
>> false sense of security while implicitly OKing people to ignore
>> security.
>>
>> but if it is going to be done, i'd suggest a flag on the field in the
>> model. ("automunge-html":="true"?) with perhaps a model default.
>
> The model is definitely the wrong place for this - after all, a model
> field might be output in a plain text email where escaping isn't
> appropriate.
>
> The problem here is very simple: XSS is the most common vulnerability
> on the Web. It's unbelievably easy for an XSS vulnerability to sneak
> in to an application - even experienced programmers who completely
> understand the security implications are likely to forget to add a |
> escape filter once in a while.
>
> Obviously we DO need to be able to turn auto escaping off - there are
> plenty of cases where it isn't appropriate. A classic example from
> Django at the moment would be:
>
> {% value|markdown %}
>
> We should also be able to turn it off for people who don't like it,
> like yourself!
>
> BUT... we can't have it as a global setting. magic quotes in PHP has
> taught us that much - global settings relating to auto filtering of
> data lead to insanity when you start wanting to create reusable
> applications.
>
> That's why I'm keen on having escaping set at the template level. I'm
> actually starting to feel that using the template extension might not
> be a bad idea here. "index.html" has auto escaping, "index.txt"
> doesn't. That way templates don't have to include an ugly extra tag
> at the top of the code.
>
> Cheers,
>
> Simon
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
