Hi all, I know the topic of auto-escaping user data comes up on here from time to time. I just wondered if others had heard this.
http://www.twit.tv/floss12 PHP Creator - Rasmus Lerdorf Say what you want about PHP (I'll happily join in ;-) ), but I found it interesting to listen to the guy. I would have thought he's learnt a few lessons in all the time PHP has been on the front line. At about the 40 minute mark (it might start a little earlier) Rasmus talk about his ideas on how to deal with XSS style holes in PHP Code. My take was this was a method he was already using at Yahoo. Basically (for those who are too lazy / buzy to listen) he talks about having a 'firewall' that incoming data passes through and is sanitized by. Then all data is deemed safe for output. 'Holes can be poked in the firewall' if you need to be able to enter HTML (for example). It struck me that we could do something similar in the manipulators. They already validate. Why not sanitize? Key point is not to let the attack in the system, rather than to avoid executing it. Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
