This reminds me of the autoescaping arguments. Note that you can do this outside of Django. I think that there is something like this for apache called mod_security. It works regardless of the scripting language/framework you are using.
--Ahmad On 8/20/06, Paul Sargent <[EMAIL PROTECTED]> wrote: > > Hi all, > > I know the topic of auto-escaping user data comes up on here from time > to time. I just wondered if others had heard this. > > http://www.twit.tv/floss12 PHP Creator - Rasmus Lerdorf > > Say what you want about PHP (I'll happily join in ;-) ), but I found it > interesting to listen to the guy. I would have thought he's learnt a > few lessons in all the time PHP has been on the front line. > > At about the 40 minute mark (it might start a little earlier) Rasmus > talk about his ideas on how to deal with XSS style holes in PHP Code. > My take was this was a method he was already using at Yahoo. > > Basically (for those who are too lazy / buzy to listen) he talks about > having a 'firewall' that incoming data passes through and is sanitized > by. Then all data is deemed safe for output. 'Holes can be poked in the > firewall' if you need to be able to enter HTML (for example). It struck > me that we could do something similar in the manipulators. They already > validate. Why not sanitize? > > Key point is not to let the attack in the system, rather than to avoid > executing it. > > Paul > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
