On 24 February 2011 00:29, Simone Federici <s.feder...@gmail.com> wrote: > Maybe you could write a filter "urlsafe" to use into templates so that > variable does not contains javascript. > And you could create a command that scan templates and raise an alert every > variable inside an href attribute that is not "urlsafe". > But I believe that a tool is used to work, not to do the work for me. And > Django is a tool. > It's like the java paradox, java is a language that hidden a lot of > problems, and try to resolve them without the programmers. Result: you > cannot trust a java programmer, because often he doesn't know what the code > really does. > For this reason, I see that this kind of problems are better if you leave > resolve by developers. The better solution is to document better the > problem. > I think it is out of the scope of djangodevtools. > In other words, djangodevtools not is a library to development, but is a would
That sounds like a good idea -- "urlsafe". There already is urlize. However, it doesn't work for all urls. I was thinking about using xpath to evaluate the use of variables in 'interesting' places (attributes) and then checking if the attribute is quoted or not. I think someone with more django template knowledge can think of a better way. I also reported http://code.djangoproject.com/ticket/15365 so now it might be worthwhile searching for markup use in templates. The best python html sanitization I have so far seen is from from lxml.html.clean[0]. However it seems to be very much on the too 'strong' side. [0] - http://lxml.de/lxmlhtml.html#cleaning-up-html -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.