On Fri, Apr 27, 2012 at 11:58 PM, Voulnet <voul...@gmail.com> wrote: > Hello provides great protection from XSS by escaping output to > webpages, but it only does it in HTML context. XSS can be executed > when user input is inserted into javascript or CSS, which have > different context and rules than HTML, so HTML context escaping > doesn't help/protect. > > Are there any remote chance of django escaping extending to other > contexts beside HTML? >
There is the built-in escapejs filter that works fine for making user generated content safe. https://docs.djangoproject.com/en/1.4/ref/templates/builtins/#escapejs Although it would be nice to be able to alter the escaping algorithm in use, so that one can do things like this: {% block head %} <link rel="stylesheet" .../> <script type="..."> {% autoescape javascript %} var user = '{{ user.name }}'; {% endautoescape %} </script> {% endblock %} Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
