On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote:
> Oh - I haven't heard of the magic_quotes fiasco. Do you have any
> links or more information about this? If it blew up for the PHP
> folks, I think I'd be prone to changing my position on the issue.
The magic_quotes setting in PHP is a
On Jun 21, 2006, at 8:50 PM, James Bennett wrote:
> Has the world honestly learned not one single solitary thing form
> PHP's magic_quotes fiasco? Autoescaping all output by default is
> something that is unequivocally not acceptable.
Oh - I haven't heard of the magic_quotes fiasco. Do you have
If you don't ever want to display the html then it shouldn't be
stored in the first place. The escaping/removing should be done when
processing the input. What's better:
1. escaping/removing when the data is saved (one time occasion) or
2. escaping/removing each time the data is used
On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote:
> This is my preferred choice, as well, but I'm not well-versed enough
> in the internals of Django to know if allowing empty models can
> create other problems outside of the admin interface. If anyone could
> point me to the relevant areas of
On Jun 21, 2006, at 6:57 PM, Jacob Kaplan-Moss wrote:
> Yes, I agree -- I've never been against a template tag which does
> autoescape because that's still leaving power in the hands of the
> template authors.
Then again, how often do you *want* to allow your users to put HTML
and JS in and
On Jun 21, 2006, at 9:29 PM, SmileyChris wrote:
> Out of interest, have you (both Jacob and anyone else involved in this
> discussion) seriously tried an auto-escaping templating system and had
> a problem with it opposing your needs?
At the risk of turning this into a war stories thread, I've
Hi Jacob,
On Jun 21, 2006, at 5:16 PM, SmileyChris wrote:
> > Having used TAL a lot (like KID, automatically escapes), I did not
> > actually find this annoying.
Jacob Kaplan-Moss wrote:
> I really wish there was a way of saying this that didn't make me
> sound like a jerk... but:
>
> If
On Jun 21, 2006, at 8:35 PM, Todd O'Bryan wrote:
> Does there seem to be consensus out there among web frameworks about
> whether escape=default, raw=exception or raw=default,
> escape=exception?
Not really sure, myself -- my impression is that most web frameworks
don't think about XSS all
On Jun 21, 2006, at 6:41 PM, Jacob Kaplan-Moss wrote:
> There's
> no right and wrong here, there's just what "fits" with the rest of
> the framework, and encapsulating a distrust of the developer into
> this framework doesn't feel right.
Does there seem to be consensus out there among web
I have to agree with these comments.
get the crap out at the 'input'/validation level.. once it has the
database/rendering stage it is too late.
while this submission isn't perfect, this is what I did to protect
against my own laziness on externally facing apps.
On Jun 21, 2006, at 4:49 PM, Malcolm Tredinnick wrote:
> What are the use cases for this sort of construction?
> [...]
I've always thought that any decent computer tool should either a) do
what you tell it to, or b) tell you why it can't/won't do what you
want it to (warnings, exceptions,
On Wed, 2006-06-21 at 19:42 -0500, Jacob Kaplan-Moss wrote:
> On Jun 21, 2006, at 7:28 PM, Jeremy Dunck wrote:
> > Was it Unicode? How did you find the offending bits? Is it something
> > we could have helped with? (Can we help next time?)
>
> Nah, just a small change in the layout of the
On 6/21/06, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
>
> On Jun 21, 2006, at 8:25 AM, Malcolm Tredinnick wrote:
> > I noticed earlier this evening that automatic documentation rebuilds
> > aren't happening, either (models-api.txt and templates.txt have both
> > been updated today).
>
> OK,
On Wed, 2006-06-21 at 13:35 -0700, Tyson Tate wrote:
> I posted a ticket (#1972) a while ago and there's been a few other
> tickets reporting the same issue, so it sound like an issue that
> should be addressed.
>
> Basically: A model with no explicit fields doesn't get created by
>
On Jun 21, 2006, at 3:31 PM, Jacob Kaplan-Moss wrote:
> [...]
> Another place to start solving the XSS problem is at the input level;
> a policy of "don't trust data from the web" makes a lot more sense to
> me than one of "don't trust the template author".
Modded "+5 Insightful" :) I can
On Jun 21, 2006, at 12:13 PM, Simon Willison wrote:
> Rather than directly accessing GET and POST data
> you do it through some mechanism that /guarantees/ the format of the
> data returned - and raises an exception if it can't make that
> guarantee. There is no possible way of invalid data
James Bennett wrote:
> Security by annoyance is security that people learn to hate and turn
> off as soon as they can, so in the end it doesn't really make them any
> more secure than they were before.
Having used TAL a lot (like KID, automatically escapes), I did not
actually find this
On 6/21/06, oefe <[EMAIL PROTECTED]> wrote:
>
> Agreed.
> To prevent XSS vulnerabilities because someone forgot to specify the
> escaping rule, I would suggest that templates should, maybe even must
> specify their escaping. For example, require each template to contain a
> special {% autoescape
Hi,
I'm new to this group, so let me give you a little background about
myself:
I'm not a professional web developer (I'm writing Windows apps), but
have done a few private web projects for fun and to learn new things. I
recently redsigned a TurboGears project in Django, and liked the
experience
On 6/21/06, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
> We don't; my conversations with the company lawyers seemed to
> indicate that you're implicitly assigning copyright simply by
> submitting code to an OSS project. Of course IANAL, but I'm going to
> trust what the ones we talked to say
The more I think about it, the more I find I have two objections to
the auto-escaping stuff.
1. A philosophical objection. One thing Django does, and does pretty
well IMHO, is encourage best practices. Pretty much every aspect of
Django, from the overall architecture of the framework to the
[EMAIL PROTECTED] wrote:
> noone said "forbid nothing". i said "you don't need to forbid all '<'s",
> which is what you proposed was a problem with a data validation take.
My point was that your approach restricts user input. "<" was a
simple example for this.
Not that, first, it's not really
Hi, all.
Do you guys have any guidelines with regard to copyright when
accepting contributions from others? Does copyright need to be
assigned to Lawrence Journal-World when submitting to Django? Or do
programmers retain copyright and assign the code to the project under
the BSD license? (I
"My vote is for escaping being off unless explicitly turned on, and for it being turned on in the template."
My thoughts exactly, my templates are the places that define the output of my applications. I can see the benefits of people been able to define how escaping happens _in the template_,
[EMAIL PROTECTED] wrote:
> not true. no browser interprets a single "<" as a tag unless it has a
> valid tag name (and company) and closing ">" directly after it. only the
> most rudimentary implementations would blindly strip "<"s without looking
> at their context.
So, how exactly would you
Derek Hoy wrote:
> On 6/20/06, SmileyChris <[EMAIL PROTECTED]> wrote:
>> But it is an escaping issue.
>
> Isn't the most common use case for this the problem of people entering
> bad stuff into a form? In which case, regarding it as a validation
> issue seems good to me.
This is the
On 6/20/06, SmileyChris <[EMAIL PROTECTED]> wrote:
>
> But it is an escaping issue.
Isn't the most common use case for this the problem of people entering
bad stuff into a form? In which case, regarding it as a validation
issue seems good to me.
For example, I used Webmin a few days ago to fix
Michael Radziej wrote:
>
> IMO, the point of auto-escaping is that the template author should not have
> to worry about
> the origin of the string, but about how he uses it. The origin of the string
> in the
> context can change, just for an example. Or are we talking about different
>
28 matches
Mail list logo
