noone said "forbid nothing". i said "you don't need to forbid all '<'s", which is what you proposed was a problem with a data validation take.
you would obviously forbid html in an HTMLSafeCharField, which does limit user's input. i'm just saying that in the vast, vast, vast majority of form inputs, db fields, etc., html is an invalid input anyway, so this is trivial restriction. plus remember that this would be optional, per-field, and not the default. (ie, i'm not suggesting we modify the CharField to by default forbid html) > > [EMAIL PROTECTED] wrote: >> not true. no browser interprets a single "<" as a tag unless it has a >> valid tag name (and company) and closing ">" directly after it. only >> the >> most rudimentary implementations would blindly strip "<"s without >> looking >> at their context. > > So, how exactly would you validate the input without forbidding > anything? > > Michael > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
