On Mon, Feb 23, 2009 at 12:03 PM, Michael Repucci <mich...@repucci.org> wrote: > > I'm certainly worried about both, but I would like the users to be > able to add JavaScript. Changes to the site will actually have to be > monitored for offensive content (including both JavaScript and > offensive language), so hopefully such content wouldn't be up for very > long. But I was just worried that an attack on the server could (in > theory) be made before the site manager had a chance to monitor, and > remove, an offending script. > > But perhaps I'm going about this in completely the wrong way. I'm by > no means a professional web developer; I'm completely self-taught. So > any further advice you could give would be great. Thanks! >
Malicious javascript could be used to steal users' cookies or to redirect the page to a different site. I doubt you'd want to risk either of these things on your site. I'd recommend you read up on cross site scripting (XSS) to get a better idea of the risk involved. Colin > On Feb 23, 2:48 pm, Mark Jones <mark0...@gmail.com> wrote: >> Kind of sucks that you are worried about your server, but not worried >> about the people that might use your site. >> >> I'd answer your question regarding JS except for the fact I think the >> server and the clients should be safe for the general public, and I >> don't want to make it that easy on you. Allowing some script kiddie >> to load JS into a field that will play back on someone else's machine >> is reprehensible, even if those users aren't smart enough to install >> noscript. >> >> On Feb 23, 1:32 pm, Michael Repucci <mich...@repucci.org> wrote: >> >> > Hi Django'ers, this will probably sound like a silly question, but >> > normally I haven't had to think about server security (that's been >> > someone else's job). However, on my current project I do need to >> > consider this, and I just wanted to double-check that I understand the >> > risks of using the "safe" tag in HTML templates. >> >> > I've got users that I shouldn't entirely trust, who have access to a >> > TextField in a model, and that field is displayed in the resultant >> > HTML with the safe filter. Now, I understand that that means the user >> > could put JavaScript (or similar) in this field, and it will be >> > triggered when the page loads. But this doesn't present a threat to >> > the server security does it? PHP includes won't be interpreted, so >> > that's not a problem, and JavaScript doesn't have access to the server >> > file system, right? I'm just not sure whether there is potential HTML >> > code that could be used to actually damage the server, access its >> > files, or cause a DoS attack. >> >> > Any help would be greatly appreciated! Thanks in advance!! > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
