On Tue, May 15, 2012 at 8:59 AM, Stephen McDonald wrote:
> Stephen from Mezzanine here - thanks for the thorough response Russ.
>
> The cleansing process we go through is very rigorous - we're leaning
> on the shoulders of tools that have solved this problem (in our case
>
Stephen from Mezzanine here - thanks for the thorough response Russ.
The cleansing process we go through is very rigorous - we're leaning
on the shoulders of tools that have solved this problem (in our case
the bleach library). It uses a white-list of tags and attributes, so
all those tricky edge
That is as I feared, thanks for the help Russ.
On May 14, 4:58 pm, Russell Keith-Magee
wrote:
> On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell wrote:
> > Thanks for the responses and insight everyone (special thanks to
> > Russel to clarifying what
On Tue, May 15, 2012 at 5:09 AM, Josh Cartmell wrote:
> Thanks for the responses and insight everyone (special thanks to
> Russel to clarifying what type of attack this is). I will point this
> discussion out to the Mezzanine users group and hopefully it will
> generate
Thanks for the responses and insight everyone (special thanks to
Russel to clarifying what type of attack this is). I will point this
discussion out to the Mezzanine users group and hopefully it will
generate some more thought into the matter.
@Nikolas, you summed up what I was thinking well. I
On Fri, May 11, 2012 at 10:11 PM, Josh Cartmell wrote:
> I work a lot with Mezzanine which is a CMS that uses Django. A
> security issue was recently revealed where an admin user, lets call
> him A, (they can post rich content) could put a cleverly constructed
> javascript
I know nothing about mezzanine, but if you have access to the view
functions, then perhaps you can use a construct along the lines of:
|def view_function(request):|
| if request.user.is_superuser:|
|return HttpResponse404() # Or perhaps render the view treating all
data as unsafe...|
|
The issue here is that Josh wants to allow certain users (admins) to
create content with tags, but ensure that said users can't use
JavaScript to gain superuser status or otherwise monkey with things they
shouldn't. So while the "don't trust user content" approach is a good
default, I don't think
On Sat, May 12, 2012 at 5:11 AM, Josh Cartmell wrote:
> I work a lot with Mezzanine which is a CMS that uses Django. A
> security issue was recently revealed where an admin user, lets call
> him A, (they can post rich content) could put a cleverly constructed
> javascript
I imagine you could prevent this by storing the CSRF token in the user
session rather than directly in a cookie. That way, JS on the site
wouldn't be able to get at it. It looks like at least one project does
this: https://github.com/mozilla/django-session-csrf
_Nik
On 5/11/2012 2:11 PM, Josh
I work a lot with Mezzanine which is a CMS that uses Django. A
security issue was recently revealed where an admin user, lets call
him A, (they can post rich content) could put a cleverly constructed
javascript on a page such that if a superuser, let's call her B, then
visited the page it would
11 matches
Mail list logo