I haven't RTFA - so take this with a grain of salt, but this depends on what you mean by data sanitisation. If you're talking application arguments - then yes, these should be white listed. If however, you're talking about user submitted content, then no.
Why? security in web applications is very simple - all you have to do is filter input, and escape output. The problem is working out what filtering and escaping are appropriate. If I'm outputting (x)html then I want to escape things like <, > and &. If however, I'm sending data to, say, email or PDF, or XML, or next weeks format of choice then I want DIFFERENT things escaped. The stored data should be "raw" until it leaves the application and is formatted appropriately for the receiving resource. The application layer should not try to guess this in any brute force manner- anyone who's experienced the sheer *joy* of PHP's magic quotes setting will probably agree with me here! @ Ahmad - mod_security (modsecurity.org) is fantastic, and I highly recommend installing it on all apaches, but filtering content at the webserver level is a sledgehammer approach and should only be done for *really* bad content (e.g. known exploits, spam bots etc) --Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
