I've been following this discussion with interest. XSS fragility is a
real weak point for text-based templating engines, and we need to find a
solution.
On the topic of HTML-escaping vs. general escaping: Absolutely the
reason to do auto-escaping is to make it dead easy to avoid XSS
problems, and so HTML escaping is easily the most important thing to get
right. While Django's dedication to template agnosticism is great
(allowing emails to be generated with templates, for example), by far
most of the text generated through the template engine is HTML, and that
is the most vulnerable part of the Django ecosystem.
That said, though, keep in mind that not all text in a .html template is
HTML:
<p>My first variable is {{my_var1}}</p>
<script>
var my_second_variable = "{{my_var2}}";
blah();
</script>
In this case, my_var1 needs to have "escape" applied. The case of
my_var2 is a bit trickier. "addslashes" is good, but isn't enough
(since </script> appearing in my_var2 will cause problems). Things can
of course get even trickier:
<script>
document.write("<p>{{my_var3}}</p>");
</script>
My brain starts to hurt trying to figure out how to protect my_var3!
--Ned.
Simon G. wrote:
> This is one of those issues which is never going to please everyone.
>
> So - I've started a list of the various proposals (1), and could you
> all add any other proposals to this page, along with any pros/cons,
> and vote on the one(s) you prefer.
>
> This way we can get some idea of what a consensus view might look like
>
> --Simon
> [1] http://code.djangoproject.com/wiki/AutoEscapingProposals
>
>
> >
>
>
>
> .
>
>
--
Ned Batchelder, http://nedbatchelder.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
