Kind of sucks that you are worried about your server, but not worried about the people that might use your site.
I'd answer your question regarding JS except for the fact I think the server and the clients should be safe for the general public, and I don't want to make it that easy on you. Allowing some script kiddie to load JS into a field that will play back on someone else's machine is reprehensible, even if those users aren't smart enough to install noscript. On Feb 23, 1:32 pm, Michael Repucci <mich...@repucci.org> wrote: > Hi Django'ers, this will probably sound like a silly question, but > normally I haven't had to think about server security (that's been > someone else's job). However, on my current project I do need to > consider this, and I just wanted to double-check that I understand the > risks of using the "safe" tag in HTML templates. > > I've got users that I shouldn't entirely trust, who have access to a > TextField in a model, and that field is displayed in the resultant > HTML with the safe filter. Now, I understand that that means the user > could put JavaScript (or similar) in this field, and it will be > triggered when the page loads. But this doesn't present a threat to > the server security does it? PHP includes won't be interpreted, so > that's not a problem, and JavaScript doesn't have access to the server > file system, right? I'm just not sure whether there is potential HTML > code that could be used to actually damage the server, access its > files, or cause a DoS attack. > > Any help would be greatly appreciated! Thanks in advance!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
