On Thu, Apr 22, 2010 at 12:35 PM, Ferran Fontcuberta <[email protected]> wrote: > Why isn't safe to pass input into template?
Well, I haven't seen your code, but input generally contains user input. And that's something you should NEVER EVER trust as valid/safe data. If I do something like: http://ferransite.com/index?name=obfuscatedjavascriptcode You can imagine what might happen. That said, my version isn't much safer because I simply reassign user input to a new var, and it's not any safer than your version. You should definitely validate input before passing it any further. For example, you can make sure names and surnames contain only A-Za-z, spaces and dashes, and that it begins with a upper-case letter: import re name_re = re.compile(r'^[A-Z][a-z -]?') if name_re.match(i.name): myvar.name = i.name (Don't use that regexp for granted, I kinda suck at regexps). -- Branko Vukelić [email protected] [email protected] Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny -- You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
