Re: django unicode-conversion, beginning
Malcolm Tredinnick wrote: > Metaphorically cutting off both our arms so that we appear > more aerodynamic is probably not a gain worth making. This is the explanation! :-) >> 5. Internally, work with unicode strings exclusively (after >> transcoding the request and the template). Response should be python >> unicode as well up until the moment it gets sent out. > > That's the idea. It really works like this already by accepting unicode and also StringIO buffers with unicode. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: Re: django unicode-conversion, beginning
On 8/20/06, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote: > Metaphorically cutting off both our arms so that we appear > more aerodynamic is probably not a gain worth making. That's going in my quotes file. -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
XSS comments from PHP Creator
Hi all, I know the topic of auto-escaping user data comes up on here from time to time. I just wondered if others had heard this. http://www.twit.tv/floss12 PHP Creator - Rasmus Lerdorf Say what you want about PHP (I'll happily join in ;-) ), but I found it interesting to listen to the guy. I would have thought he's learnt a few lessons in all the time PHP has been on the front line. At about the 40 minute mark (it might start a little earlier) Rasmus talk about his ideas on how to deal with XSS style holes in PHP Code. My take was this was a method he was already using at Yahoo. Basically (for those who are too lazy / buzy to listen) he talks about having a 'firewall' that incoming data passes through and is sanitized by. Then all data is deemed safe for output. 'Holes can be poked in the firewall' if you need to be able to enter HTML (for example). It struck me that we could do something similar in the manipulators. They already validate. Why not sanitize? Key point is not to let the attack in the system, rather than to avoid executing it. Paul --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: XSS comments from PHP Creator
This reminds me of the autoescaping arguments. Note that you can do this outside of Django. I think that there is something like this for apache called mod_security. It works regardless of the scripting language/framework you are using. --Ahmad On 8/20/06, Paul Sargent <[EMAIL PROTECTED]> wrote: > > Hi all, > > I know the topic of auto-escaping user data comes up on here from time > to time. I just wondered if others had heard this. > > http://www.twit.tv/floss12 PHP Creator - Rasmus Lerdorf > > Say what you want about PHP (I'll happily join in ;-) ), but I found it > interesting to listen to the guy. I would have thought he's learnt a > few lessons in all the time PHP has been on the front line. > > At about the 40 minute mark (it might start a little earlier) Rasmus > talk about his ideas on how to deal with XSS style holes in PHP Code. > My take was this was a method he was already using at Yahoo. > > Basically (for those who are too lazy / buzy to listen) he talks about > having a 'firewall' that incoming data passes through and is sanitized > by. Then all data is deemed safe for output. 'Holes can be poked in the > firewall' if you need to be able to enter HTML (for example). It struck > me that we could do something similar in the manipulators. They already > validate. Why not sanitize? > > Key point is not to let the attack in the system, rather than to avoid > executing it. > > Paul > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: Graham Dumpleton about mod_python
I do remember posting a comment on the Django docs site about mod_python and mpm-worker crashes a while ago, but I cannot find it on the Django site anymore. In any case, we were using mod_python 3.1.3-3. I'm happy to hear it's been fixed in 3.2.8. Unfortunately, even Debian unstable is still at 3.2.7, so I think a warning about this is necessary. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Proposal: Django Apps & Project Repository (again)
There are some threads talking about the apps repository already, but till now, no repository be found. So I want to suggest again: we should build an official project web site to host django apps or projects. So we can easy share our source code and exchange our ideas. And I think 0.95 is stable enought, and why we still need to wait 1.0, if there is an official web site to host these things, we can reuse others source code easily and make django more improvement I think. -- I like python! My Blog: http://www.donews.net/limodou My Django Site: http://www.djangocn.org NewEdit Maillist: http://groups.google.com/group/NewEdit --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: JavaScript and Changeset 3541
Malcolm Tredinnick wrote: > On Sat, 2006-08-19 at 07:57 +, simonbun wrote: >> I'm not so sure its such a bad idea to bundle a JS toolkit with the >> framework. > > It's only been a month since the last time we had this thread. Do we > have to do this again? :-( > > Really, you bring up nothing that hasn't been covered in the Lord knows > how many threads on this we've had over the last eight to 12 months. > > Lack of a "blessed" or include Javascript toolkit does not prevent > anybody from writing Ajax applications. It does not prevent anybody from > doing anything they could do if we had a library included, outside of > the maybe four people who work on the Admin interface. > > You claim that including a toolkit will "make Ajax a possibility", but > since it's already a possibility (people are already building > Ajax-enabled Django-backed websites), it's not clear what you mean. +1. Bundling a toolkit is checkboxing, frankly. "I'm not so sure its such a bad idea to bundle a JS toolkit with the framework." I read that as "an AJAX toolkit would be nice to have". cheers Bill --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: Proposal: Django Apps & Project Repository (again)
Hi limodou, limodou schrieb: > There are some threads talking about the apps repository already, but > till now, no repository be found. So I want to suggest again: we > should build an official project web site to host django apps or > projects. So we can easy share our source code and exchange our ideas. > And I think 0.95 is stable enought, and why we still need to wait 1.0, > if there is an official web site to host these things, we can reuse > others source code easily and make django more improvement I think. > I made a call for a new project on sourceforge today. I would call it django-userlibs. Regards, Dirk -- Echte DSL-Flatrate dauerhaft für 0,- Euro*. Nur noch kurze Zeit! "Feel free" mit GMX DSL: http://www.gmx.net/de/go/dsl --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: django unicode-conversion, beginning
On 20-aug-2006, at 8:55, Malcolm Tredinnick wrote: >> 5. Internally, work with unicode strings exclusively (after >> transcoding the request and the template). Response should be python >> unicode as well up until the moment it gets sent out. > > That's the idea. Not so fast. You want to be liberal and send out BIG5 and JIS output, but at the same time use Unicode strings on the inside. How are you going to represent the characters which you want to preserve and handle specially with these Asian encodings if all you have in the machinery is Unicode? If you can't handle these characters then what is the point of having switchable output and input? Are there browsers that don't handle UTF-8? I mean, modern ones. Even Lynx does it properly. How are you going to encodiUriCompnents in JS with other charsets? Encode URIs? > Metaphorically cutting off both our arms so that we appear > more aerodynamic is probably not a gain worth making. I don't agree, but I rest my case. I just thought UTF-8 is the optimum compromise and enough non-conformity already. Thought that Django can be one of those frameworks that cut the knot instead of spending weeks unwinding it. -- Julian 'Julik' Tarkhanov please send all personal mail to me at julik.nl --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Proposal: Search Manipulator
I had a need to provide a "Search by example" form, and I thought that
a new type of manipulator similar to an AddManipulator and
ChangeManipulator.
I've started the code, and would be happy to submit when I'm done if
you guys/glas think it Django-ish enough.
The idea is that a view to handle searching could look like:
def address_search(request):
manipulator = Address.SearchManipulator()
if request.GET:
new_data = request.GET.copy()
manipulator.do_html2python(new_data)
query_dict = manipulator.search(new_data)
return render_to_response('address_list.html', {'query_dict':
query_dict})
else:
errors = new_data = {}
form = forms.FormWrapper(manipulator, new_data, errors)
return render_to_response('address_search.html', {'form': form})
Thanks,
Corey
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~--~~~~--~~--~--~---
Re: Proposal: Django Apps & Project Repository (again)
On 8/20/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi limodou, > > limodou schrieb: > > There are some threads talking about the apps repository already, but > > till now, no repository be found. So I want to suggest again: we > > should build an official project web site to host django apps or > > projects. So we can easy share our source code and exchange our ideas. > > And I think 0.95 is stable enought, and why we still need to wait 1.0, > > if there is an official web site to host these things, we can reuse > > others source code easily and make django more improvement I think. > > > > I made a call for a new project on sourceforge today. > I would call it django-userlibs. > > Regards, > Dirk > -- > Good. But what I hope is a django apps/projects centre, and every djangor can access it, but not only several people can access it. And I hope it should be supplied by official. -- I like python! My Blog: http://www.donews.net/limodou My Django Site: http://www.djangocn.org NewEdit Maillist: http://groups.google.com/group/NewEdit --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: Safe settings context processor
Ok, I agree that if we start putting individual settings it will lead to a bit too much pollution. But Ivan, you need to access the STYLE_URL setting. Having access to settings via SafeSettings could be useful still, right? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
Re: Safe settings context processor
I'm one of those people who uses a custom template context processor to access settings in virtually all of my templates. Specifically, I use this code [1] to access SITE_URL and MEDIA_URL so that my templates can build absolute links within my sites. However, I don't believe that this functionality needs to be Django proper. It would be nice, but you don't *need* this to make a Django project work. But if you do want to access settings. Seriously. Make your own library. Stick your custom template context processor in it. And import your library in all your projects. Simple. Bryan :) [1] http://www.verdjn.com/browser/verdjnlib/context_processors On 8/18/06, SmileyChris <[EMAIL PROTECTED]> wrote: > > Way back in ticket http://code.djangoproject.com/ticket/1278, Adrian > declared that a settings context processor was not going to happen. The > reason being that it could give template authors direct access to the > db password / secret key. > > Recently I coded up > http://code.djangoproject.com/wiki/SafeSettingsContextProcessor, which > uses the same get_safe_settings which the debug error page shows. > > Is this still too dangerous? As long as it's off by default, isn't it > safe enough? > > On a side note, most people just want access to media_url, so I > actually would be happy with just > http://code.djangoproject.com/ticket/2532. Every web site wanting to > use static CSS will need to access this variable somehow, won't they? > Otherwise it has to be hard coded and that's not very Djangoish... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~--~~~~--~~--~--~---
