Am Mo., 14. Juni 2021 um 11:12 Uhr schrieb J. Pic <j...@yourlabs.org>:
> On Thu, Jun 10, 2021 at 8:34 AM Thomas Güttler <i...@thomas-guettler.de>
> wrote:
>
>>
>> This solution has two drawbacks:
>>
>> 1. It is too verbose. Typing "conditional_escape(...)" again and
>> again is cumbersome.
>>
>> from django import conditional_espace as esc
> f'''
> <h1>Hi {esc(name)}</h1>
> Your messages: {esc(messages)}
> '''
>
>>
>> 1. If a conditional_escape() gets forgotten Cross-site scripting
>> attacks could be possible, since malicious users could inject HTML.
>>
>> This is specific to Django and other frameworks out there which accept
> anything as user input by default, that's an anti-pattern which OWASP
> recommends against because obviously it opens a wide range of attack
> vectors, absolutely no security audit would ever validate the default
> validation of a CharField or a TextField.
>
>
You are right. Validating user input is an important topic. But it is a
different topic, which should be discussed at a different time.
> Another problem I see with this proposal is how do you actually use safe
> HTML in variables?
>
> msgs = [f'<li>{msg}</li>' for msg in messages]
> f'''
> <h1>Hi {name}</h1>
> Your messages: <ul>{msgs}</ul>
> '''
>
> Will output:
>
> <h1>Hi Your name</h1>
> Your messages: <ul><li>Your message</li></ul>
>
> Instead of what we would want in this situation:
>
> <h1>Hi Your name</h1>
> Your messages: <ul><li>Your message</li></ul>
>
> Otherwise good idea, it's an issue we have, even though the first
> immediate fix needed is Django's default input validation which is just
> openbar.
>
Thank you for your feedback James.
The "magic" is done in conditional_escape():
https://github.com/django/django/blob/824981b2dc61a76a59d0e470bed6e61626a44ccf/django/utils/html.py#L92
I updated the PEP so that it contains a hyperlink to the github repo.
Regards,
Thomas
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/U5FB7XCLWD6FIZTW6WIDSZQWM4CZLESH/
Code of Conduct: http://python.org/psf/codeofconduct/
