I saw the developer of Python's ESAPI library recently published Swingset, designed to educate about XSS (cross-site scripting) and other vulnerabilities in python: http://owasp-esapi-python-swingset.appspot.com/ Of particular note for Pylons community members is his demonstration of a couple vulnerabilities in Django's autoescaping capabilities: http://owasp-esapi-python-swingset.appspot.com/xss/django
The app and demonstration begs the question of how secure we can feel with Pylons' current security protections, and what would be an appropriate/efficient way to address the topic of Pylons security given all its rich,varied (and frequently awesome : )) components. To protect against XSS attacks, for instance, there needs to be adequate input validation/sanitization (via whitelists/blacklists) as well as escaping, and a variety of other subtle (and unfortunately, sometimes limited) protections (e.g.: setting the HttpOnly flag on cookies). .. And sometimes protections may be needed in non-obvious components (e.g.: Routes, for instance (?)). I've seen patches for XSS vulnerabilities in various Pylons components, and I've read that e.g.: FormEncode and Maco (and perhaps Paster) have at least some XSS protections (yay!), but I guess what I'm curious about (and perhaps others) is the level of those protections and does Pylons *as a whole*, or *component-by-component* have good (and how good?) protections against well-established attacks such as XSS, Injection, and CSRF and how confident can I be in this without testing it all, myself? Many Thanks! Nat Wharton -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
