I don't know that "dangerously_trust_html" is a better name. The argument 
is supposed to be a string that you know is trusted so there shouldn't be 
any danger involved. Naming something based on how it could be misused 
seems odd.

For me, mark_safe() is a fine name, but maybe that preference is from a 
knowledge of django.utils.safestring internals that most users don't have.

On Thursday, February 22, 2018 at 7:16:29 AM UTC-5, Josh Smeaton wrote:
>
> The concern isn't overusing an API. It's not understanding the proper use 
> case for it.
>
> "mark safe" can sound like the API is doing sanitation so it can encourage 
> developers to use it incorrectly. I'm fairly sure I've done this myself.
>
> The intended meaning is "this output is **already** safe" but the name 
> doesn't convey that meaning clearly enough.
>
> What the proposal is designed to do is convey the "I trust this output" 
> meaning of the API. I'm just wary of enforcing users to change code when 
> they already use the API correctly.
>
> On Thursday, 22 February 2018 21:08:31 UTC+11, Florian Apolloner wrote:
>>
>> Yeah, I am also worried about the churn for no gain in my eyes. If users 
>> overuse mark_safe, they will overuse dangerously_trust_html too…
>>
>> On Wednesday, February 21, 2018 at 10:41:15 PM UTC+1, Josh Smeaton wrote:
>>>
>>> I agree that the names are misleading and we should probably provide 
>>> better names. I'm wary of deprecating the old names because it'll create a 
>>> lot of churn (some of which would be the right thing to do). Maybe we could 
>>> just alias and warn when using the old name, leaving a decision on 
>>> deprecation until some time in the future.
>>>
>>> On Monday, 29 January 2018 03:14:27 UTC+11, Stuart Cox wrote:
>>>>
>>>> In my experience, misuse of mark_safe() — i.e. marking stuff safe 
>>>> which *isn’t* actually safe (e.g. HTML from a rich text input) — is 
>>>> one of the biggest causes of XSS vulnerabilities in Django projects.
>>>>
>>>> The docs warn to be careful, but unfortunately I think Django devs have 
>>>> just got too used to mark_safe() being *the way* to insert HTML in a 
>>>> template. And it’s easy for something that was safe when it was authored 
>>>> (e.g. calling mark_safe() on a hard-coded string) to be copied / 
>>>> repurposed / adapted into a case which is no longer be safe (e.g. that 
>>>> string replaced with a user-provided value).
>>>>
>>>> Some other frameworks use scary sounding names to help reinforce that 
>>>> there are dangers around similar features, and that this isn’t something 
>>>> you should use in everyday work — e.g. React’s dangerouslySetInnerHTML.
>>>>
>>>> Relatedly, this topic 
>>>> <https://groups.google.com/d/msg/django-developers/c4fa2pOcHxo/EtT942WnyiAJ>
>>>>  suggested 
>>>> making it more explicit that mark_safe() refers to being safe for use 
>>>> in *HTML* contexts (rather than JS, CSS, SQL, etc).
>>>>
>>>> Combining the two, it would be great if Django could rename mark_safe() to 
>>>> dangerously_trust_html(), |safe to |dangerously_trust_html, 
>>>> @csrf_exempt to @dangerously_csrf_exempt, etc.
>>>>
>>>> Developers who know what they’re doing with these could then be 
>>>> encouraged to create suitable wrappers which handle their use case safely 
>>>> internally — e.g.:
>>>>
>>>> @register.filter
>>>> def sanitize_and_trust_html(value):
>>>>     # Safe because we sanitize before trusting
>>>>     return dangerously_trust_html(bleach.clean(value))
>>>>
>>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/370611c1-2031-4c0b-9f56-4b2c482e1113%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to