Here's a reference from W3C on "what you should do": https://www.w3.org/International/questions/qa-personal-names#singlefield - with a great intro.
I'm not sure what a django.contrib.auth migration path could look like. We'd probably want to preserve the first_name + last_name behaviour as an option as combining without breaking systems will be very difficult. On Tue, 18 Aug 2020 at 15:26, Matthew Pava <matthew.p...@iss.com> wrote: > Thank you so much for sharing that, Adam. I’ve always wondered what the > best way was to deal with names. The systems I work with should be able to > handle names from all countries of the world. I find you kalzumeus link > only slightly helpful, though. It explains what we shouldn’t do. I’d rather > just have an explanation of what we should do to handle names. Seriously, > should we have just one field that a person can enter their full name? Or > multiple fields? > > > > And perhaps Django should lead on this. As bad as the backwards > compatibility concerns are, we should probably just address it once and for > all. > > > > *From:* django-developers@googlegroups.com < > django-developers@googlegroups.com> *On Behalf Of *Adam Johnson > *Sent:* Tuesday, August 18, 2020 4:26 AM > *To:* django-developers@googlegroups.com > *Subject:* Re: Django default input validation accepts special caracters > > > > I am against adding validation here. See the classic *Falsehoods > Programmers Believe About Names*: > https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ > <https://us-east-2.protection.sophos.com?d=kalzumeus.com&u=aHR0cHM6Ly93d3cua2FsenVtZXVzLmNvbS8yMDEwLzA2LzE3L2ZhbHNlaG9vZHMtcHJvZ3JhbW1lcnMtYmVsaWV2ZS1hYm91dC1uYW1lcy8=&e=bWF0dGhldy5wYXZhQGlzcy5jb20=&t=OWpDN2ZmUTdpU1F0Vy9YSkJuSWhHbThLcjR3YmI1SEZ6QXFDTkE5eE1NUT0=&h=548dd2c73a16443aad56c5e7e25d6124> > . > > > > Here are some characters that have caused security issues in the past > (e.g. URL bar display), but I'd reckon are legitimate in some human names: > > - non-breaking space > - zero-width space > - RTL or LTR markers > - Quote marks > > If you do want to block this, we don't need a new argument to Charfield. > You can implement a custom validator, and even pair it with a database > constraint. But you might block legitimate users. > > > > The only change we should be making is moving from separate first_name + > last_name fields to solely a name field, since *many* people don't fit into > that. I think there's a ticket, but there are massive backwards > compatibility concerns. > > > > P.S. never forget the case of Mr Null: https://www.wired.com/2015/11/null/ > <https://us-east-2.protection.sophos.com?d=wired.com&u=aHR0cHM6Ly93d3cud2lyZWQuY29tLzIwMTUvMTEvbnVsbC8=&e=bWF0dGhldy5wYXZhQGlzcy5jb20=&t=Ymk0WXNOMk5HQ09KV2VBZWIwd0I1dnFwU0pIT2NoODZZTWoybjZnd0lJND0=&h=548dd2c73a16443aad56c5e7e25d6124> > > > > On Tue, 18 Aug 2020 at 09:39, Kacper Szmigiel <szmigielkac...@gmail.com> > wrote: > > Hello! > > Maybe some `special_characters` bool field on models.CharField with > default to `False` would do the job? > > > > wt., 18 sie 2020 o 10:36 '1337 Shadow Hacker' via Django developers > (Contributions to Django itself) <django-developers@googlegroups.com> > napisał(a): > > Currently, when you order a security audit on a Django project from any of > the firms I've seen so far (including my own), all inputs fall short on > stuff like: > > > > "First name input: allows special caracters such as <>/"' which may cause > a security issue with further developments done on the same database but > outside Django". > > > > As far as I can imagine, special caracters would be acceptable on inputs > that should accept code or some kind of math, which is not the case for > most inputs. > > > > Django should harden default input validation to make it easier for Django > projects to get a good grade on security audits, without having to go over > all fields to setup basic input validators. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/EiNHz_fmHLmQXZ5ChTG0qrnp8BrP0s75szk9oDolStpIyMSz71B3yesI7U6K8QZNkUmeAN6v6zMhExwhwcbtGNeaOUgubDOIDK-Q4cVFvOw%3D%40protonmail.com > <https://us-east-2.protection.sophos.com?d=google.com&u=aHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9kL21zZ2lkL2RqYW5nby1kZXZlbG9wZXJzL0VpTkh6X2ZtSExtUVhaNUNoVEcwcXJucDhCclAwczc1c3prOW9Eb2xTdHBJeU1TejcxQjN5ZXNJN1U2SzhRWk5rVW1lQU42djZ6TWhFeHdod2NidEdOZWFPVWd1YkRPSURLLVE0Y1ZGdk93JTNEJTQwcHJvdG9ubWFpbC5jb20_dXRtX21lZGl1bT1lbWFpbCZ1dG1fc291cmNlPWZvb3Rlcg==&e=bWF0dGhldy5wYXZhQGlzcy5jb20=&t=ODh0MlVFVVVQWU5iUkpxa1MzWk4xdEdJb1RDVTNPall0NWtDWDdVc3V0az0=&h=548dd2c73a16443aad56c5e7e25d6124> > . > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAFfZ%2Bb4GNSksSUm%3De8bQAp1t1qgDkLvNpitYjLmY1QHb94vs7w%40mail.gmail.com > <https://us-east-2.protection.sophos.com?d=google.com&u=aHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9kL21zZ2lkL2RqYW5nby1kZXZlbG9wZXJzL0NBRmZaJTJCYjRHTlNrc1NVbSUzRGU4YlFBcDF0MXFnRGtMdk5waXRZakxtWTFRSGI5NHZzN3clNDBtYWlsLmdtYWlsLmNvbT91dG1fbWVkaXVtPWVtYWlsJnV0bV9zb3VyY2U9Zm9vdGVy&e=bWF0dGhldy5wYXZhQGlzcy5jb20=&t=WC9yZTJDWkJIZTkxMzlJNXBRZDBRdkthR3VKbmV5UzlRYnlaZXFpVWNFTT0=&h=548dd2c73a16443aad56c5e7e25d6124> > . > > > > -- > > Adam > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAMyDDM2CsjYg-8DJ2AyOpbbnn-vR-CUK9DSSf-1_wywJejg4aQ%40mail.gmail.com > <https://us-east-2.protection.sophos.com?d=google.com&u=aHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9kL21zZ2lkL2RqYW5nby1kZXZlbG9wZXJzL0NBTXlERE0yQ3NqWWctOERKMkF5T3BiYm5uLXZSLUNVSzlEU1NmLTFfd3l3SmVqZzRhUSU0MG1haWwuZ21haWwuY29tP3V0bV9tZWRpdW09ZW1haWwmdXRtX3NvdXJjZT1mb290ZXI=&e=bWF0dGhldy5wYXZhQGlzcy5jb20=&t=QmdDUmtsQVhyN0kvRllkVCthbi9DbldnejByQi9DT3Q4NnVQaXBzdmN4OD0=&h=548dd2c73a16443aad56c5e7e25d6124> > . > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/697a2ac6964d4a94b2fe96e1331e36f7%40iss2.ISS.LOCAL > <https://groups.google.com/d/msgid/django-developers/697a2ac6964d4a94b2fe96e1331e36f7%40iss2.ISS.LOCAL?utm_medium=email&utm_source=footer> > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3DXyNbxAXTCADz71wx_DwM4w_gkmXnz9QsWxZ%2BNNRwkQ%40mail.gmail.com.
