Hi Alexei, thanks for the response. Does this mean that security-related concerns will be used as a justification for upgrading to v4? I've rewritten significant portions of the app at this point, so I'm leaning toward not upgrading this specific installation when v4 comes around. Therefore, any more information on how the csrf-related gaps can be closed would be much appreciated.
Do you think that would cover the main security concerns (outside of an SSL certificate, which we've talked about already) and allow the app to hold up to a high-level of scrutiny? Adam On Monday, April 11, 2016 at 4:39:14 PM UTC-6, Alexei Peters wrote: > > Hi Adam, > A good question which probably warrants further discussion. As far as > Arches v3 goes, there are some gaps related to the crsf_exempt decorator > that will be closed in v4. For the most part we use the ORM and should be > protected against SQL injection. Most of our data comes in as JSON strings > and is never rendered as html so we should be safe there. > As far as the "|safe" filter is concerned we only use those on instances > where we use summer node for html descriptions and that data get's escaped > by the summer note widget (although it looks like someone, an authenticated > user mind you, could use the dev tools to bypass that). > Hope that helps a little. > Cheers, > Alexei > > > Director of Web Development - Farallon Geographics, Inc. - 971.227.3173 > > On Mon, Apr 11, 2016 at 9:46 AM, Adam Cox <[email protected]> wrote: > >> EDIT: I mistakenly pasted the wrong link... This is what meant to >> reference: >> http://security.stackexchange.com/questions/27805/is-djangos-built-in-security-enough >> Sorry for the confusion. >> >> On Mon, Apr 11, 2016 at 10:43 AM, Adam Cox <[email protected]> wrote: >> >>> Hello, I'm anticipating security-related questions, and I was looking >>> into what people have to say about Django generally. I'm wondering if an >>> Arches developer can comment on the subjects raised in this thread: >>> https://groups.google.com/forum/#!topic/archesproject/sXu6qpMuoAs, >>> regarding SQL Injection, CRSF, and XSS attacks. I've noticed a couple of >>> specific things--that a number of model functions have the crsf_exempt >>> decorator, and that the "|safe" filter is used in the report templates, for >>> example--but I would appreciate a general rundown of how Arches is a secure >>> Django application. >>> >>> Thanks, >>> Adam >>> >>> -- >>> -- To post, send email to [email protected]. To >>> unsubscribe, send email to [email protected]. >>> For more information, visit >>> https://groups.google.com/d/forum/archesproject?hl=en >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Arches Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> -- To post, send email to [email protected]. To >> unsubscribe, send email to [email protected]. >> For more information, visit >> https://groups.google.com/d/forum/archesproject?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Arches Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
