Re: Will django escaping ever consider context of javascript and CSS?

2012-06-07 Thread Luke Plant 
On 03/05/12 17:49, Voulnet wrote:
> The document you linked says it doesn't make it safe to use, but rather
> helps in fixing syntax errors.
> 
> " escapejs
> 
> Escapes characters for use in JavaScript strings. This does not make the
> string safe for use in HTML, but does protect you from syntax errors
> when using templates to generate JavaScript/JSON."

This means that it is not safe for use *in HTML*. It does guarantee that
all the data ends up as a single javascript string literal, but that
javascript string will still need HTML escaping if you are planning on
inserting it in the DOM. This needs to be done using a javascript escape
function (not provided).

We've looked at custom escape mechanisms in the past. There are big
difficulties due to the fact that builtin filters only work correctly
with the context of HTML escaping.

Some relevant previous discussions:

http://goo.gl/XZ7Pt

http://goo.gl/T8tkx

Luke

-- 
OSBORN'S LAW
Variables won't, constants aren't.

Luke Plant || http://lukeplant.me.uk/

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Will django escaping ever consider context of javascript and CSS?

2012-05-03 Thread Voulnet 
The document you linked says it doesn't make it safe to use, but rather
helps in fixing syntax errors.

" escapejs

Escapes characters for use in JavaScript strings. This does not make the
string safe for use in HTML, but does protect you from syntax errors when
using templates to generate JavaScript/JSON."

And there is also the CSS context, using things like expression which can
execute JavaScript. I'm just saying it will be great to have filtering
context for those
On May 3, 2012 6:34 PM, "Tom Evans"  wrote:

> On Fri, Apr 27, 2012 at 11:58 PM, Voulnet  wrote:
> > Hello provides great protection from XSS by escaping output to
> > webpages, but it only does it in HTML context. XSS can be executed
> > when user input is inserted into javascript or CSS, which have
> > different context and rules than HTML, so HTML context escaping
> > doesn't help/protect.
> >
> > Are there any remote chance of django escaping extending to other
> > contexts beside HTML?
> >
>
> There is the built-in escapejs filter that works fine for making user
> generated content safe.
>
> https://docs.djangoproject.com/en/1.4/ref/templates/builtins/#escapejs
>
> Although it would be nice to be able to alter the escaping algorithm
> in use, so that one can do things like this:
>
> {% block head %}
> 
> 
> {% autoescape javascript %}
> var user = '{{ user.name }}';
> {% endautoescape %}
> 
> {% endblock %}
>
> Cheers
>
> Tom
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers" group.
> To post to this group, send email to django-developers@googlegroups.com.
> To unsubscribe from this group, send email to
> django-developers+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-developers?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Will django escaping ever consider context of javascript and CSS?

2012-05-03 Thread Tom Evans 
On Fri, Apr 27, 2012 at 11:58 PM, Voulnet  wrote:
> Hello provides great protection from XSS by escaping output to
> webpages, but it only does it in HTML context. XSS can be executed
> when user input is inserted into javascript or CSS, which have
> different context and rules than HTML, so HTML context escaping
> doesn't help/protect.
>
> Are there any remote chance of django escaping extending to other
> contexts beside HTML?
>

There is the built-in escapejs filter that works fine for making user
generated content safe.

https://docs.djangoproject.com/en/1.4/ref/templates/builtins/#escapejs

Although it would be nice to be able to alter the escaping algorithm
in use, so that one can do things like this:

{% block head %}


{% autoescape javascript %}
var user = '{{ user.name }}';
{% endautoescape %}

{% endblock %}

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Will django escaping ever consider context of javascript and CSS?

2012-04-27 Thread Voulnet 
Hello provides great protection from XSS by escaping output to
webpages, but it only does it in HTML context. XSS can be executed
when user input is inserted into javascript or CSS, which have
different context and rules than HTML, so HTML context escaping
doesn't help/protect.

Are there any remote chance of django escaping extending to other
contexts beside HTML?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.