Hi Django'ers, this will probably sound like a silly question, but normally I haven't had to think about server security (that's been someone else's job). However, on my current project I do need to consider this, and I just wanted to double-check that I understand the risks of using the "safe" tag in HTML templates.
I've got users that I shouldn't entirely trust, who have access to a TextField in a model, and that field is displayed in the resultant HTML with the safe filter. Now, I understand that that means the user could put JavaScript (or similar) in this field, and it will be triggered when the page loads. But this doesn't present a threat to the server security does it? PHP includes won't be interpreted, so that's not a problem, and JavaScript doesn't have access to the server file system, right? I'm just not sure whether there is potential HTML code that could be used to actually damage the server, access its files, or cause a DoS attack. Any help would be greatly appreciated! Thanks in advance!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
