I've been following this thread since the get-go with interest, but am
a first time commenter here. Although I think the devs have a clear
picture, I get the feeling that some participants in this discussion
are geting input validation and output escaping confused which is
generating lots of unnessesary discussion. Let me use an oversimplified
example to explain. Let's suppose a user submits the following text to
your app:
1 < 2 & 2 > 3
Now, that obviously is not html and as far as I can tell will not
create any obvious security problems, so assuming you have good
validators, that text should then pass validation and be written to the
db as is.
Some are suggesting that this text should be escaped before being
written to the db. It is true that the above text should be rendered as
follows in html/xml documents:
1 < 2 & 2 > 3
However, this is where the problem arises. Suppose one needs to output
the text to a plain text file (such an an email or csv file)? If the
escaped text is in the db, it then would have to be 'unescaped' in
those cases. That is why escaping must remain in the template, and only
the template author will know if some data needs to be escaped in that
particular case (regardless of his (lack of) understanding of XSS).
I don't mean to undermine data validation. That is very important as
well and should never be overlooked. It's just that validation may not
be the end all solution that some make it out to be. I understand that
good/better validation is coming/in the works, but this thread is about
escaping. I suppose escaping could be effected by how validation is
implemented but that brings up the chicken-egg question which I won't
ask.
It seems to me the real question is whether escaping should be on or
off by default and which would be more/less annoying. I think I'm with
Simon on this when he says he would have to try it both ways to see
which works best. Until then, I'll keep manually escaping things in the
template.
One more thing: regardless of whether escaping is on or off by default,
having the block tags to turn it on or off for an entire template (or
part of one) as well as raw and escape filters for individual variables
would be very handy and can certainly be implimented before the
'default behavior' descision is made.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
