#28121: force_text incorrectly handles SafeBytes under PY3
------------------------------------+--------------------------------------
Reporter: Thomas Achtemichuk | Owner: nobody
Type: Bug | Status: new
Component: Utilities | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------------+--------------------------------------
Comment (by Aymeric Augustin):
Hrm. I realize I have no idea what `SafeBytes` are.
If you don't know the charset of the document in which you're going to
interpolate these bytes, you have no idea what unicode codepoints they'll
map to and you cannot make any guarantees about their safety in a HTML
context.
It would be tempting to say "they're in DEFAULT_CHARSET", but that's too
fragile for a security-critical feature. They could still be interpolated
into something in another charset.
IMO the only way to fix this is to remove `SafeBytes`. I can't see a way
to define it in a way that makes sense from a security perspective, short
of annotating them with a charset, but then we've reinvented text strings.
--
Ticket URL: <https://code.djangoproject.com/ticket/28121#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/065.cdca683c7baa5469eab79eaace4e9e3a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
