Just my 0.02 $CURRENCY... Interesting they're limiting the input for a security issue [at least from the example] that manifest from not escaping _output_.
Seems related to something I learned early in my web career... about not storing values escaped, because you don't know which medium it needs escaping for -- e.g. HTML needs different escaping than URLs. -- Curtis On Tue, 18 Aug 2020, at 18:35, '1337 Shadow Hacker' via Django developers (Contributions to Django itself) wrote: > Currently, when you order a security audit on a Django project from any of > the firms I've seen so far (including my own), all inputs fall short on stuff > like: > > "First name input: allows special caracters such as <>/"' which may cause a > security issue with further developments done on the same database but > outside Django". > > As far as I can imagine, special caracters would be acceptable on inputs that > should accept code or some kind of math, which is not the case for most > inputs. > > Django should harden default input validation to make it easier for Django > projects to get a good grade on security audits, without having to go over > all fields to setup basic input validators. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/EiNHz_fmHLmQXZ5ChTG0qrnp8BrP0s75szk9oDolStpIyMSz71B3yesI7U6K8QZNkUmeAN6v6zMhExwhwcbtGNeaOUgubDOIDK-Q4cVFvOw%3D%40protonmail.com > > <https://groups.google.com/d/msgid/django-developers/EiNHz_fmHLmQXZ5ChTG0qrnp8BrP0s75szk9oDolStpIyMSz71B3yesI7U6K8QZNkUmeAN6v6zMhExwhwcbtGNeaOUgubDOIDK-Q4cVFvOw%3D%40protonmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b49fc6b2-1a54-4b93-8263-46ad65604407%40www.fastmail.com.
