On Sun, Aug 24, 2008 at 7:07 AM, coan <[EMAIL PROTECTED]> wrote:
> I wonder why custom error messages are considered more dangerous than
> the help_text in the same form?
Because people do things like this:
class HackMySiteForm(forms.Form):
some_text = forms.CharField(max_length=255)
def clean_some_text(self):
if not some_validation_check():
raise forms.ValidationError(u"Your submission -- %s -- was
not valid" % self.cleaned_data["some_field"])
return self.cleaned_data['some_field']
Which, of course, is a gaping cross-site-scripting hole.
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---