On 19 February 2011 01:36, Masklinn <maskl...@masklinn.net> wrote:
> On 2011-02-18, at 15:31 , dave b wrote:
>> On 19 February 2011 01:29, Shawn Milochik <sh...@milochik.com> wrote:
>>> By the way -- I realized what happened. You CC'd me on the e-mail to the
>>> list. So when I replied it went directly to you.
>>
>> Ah sorry about the mix up then!
>> Yeah :P
>>
>> My view on this is that documentation can always be improved !
> Sure, but the way to do it is usually to open a bug on the tracker and
> provide a documentation patch (or alternatively find a way to fix the issue
> itself, but as far as I can tell if you're putting unchecked unvalidated data
> in your links there isn't much that can be done to help you).
Um, no I am not. I was using href with javascript as an example.
Example for Cal:
views.py
from django.shortcuts import render_to_response
def show_lol(response):
return render_to_response("lol.html", {"lol" :
"javascript:alert(document.cookie)"} )
lol.html
<html>
<body>
<a href="{{lol}}" > OKOKOKOK</a>
</body>
</html>
Yes this is very contrived.
If you used a URLField and the validator runs - this will not be saved
in the first place. Please do keep in mind that this is just a dumb
example of attribute abuse.
(./sleep &) Sorry I am very tired atm - it isn't attribute injection -
just abuse.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
