Re: Proposal to add a secure JSON encoding template tag

2014-05-15 Thread David Evans 
Thanks. This is a good example of the problem actually as that library is 
vulnerable to XSS. If someone can get the string "]]>" into the 
JSON they break out of the CDATA block and the script element and can then 
execute arbitrary code.

On Wednesday, 14 May 2014 14:57:06 UTC+1, Michael Mior wrote:
>
> I've used django-jsonify (https://pypi.python.org/pypi/django-jsonify/) 
> in the the past for this successfully. I'm not certain of the security of 
> the code since unfortunately I didn't have the time to do a proper audit, 
> but it seemed to handle some common cases.
>
> --
> Michael Mior
>
> On Tuesday, May 13, 2014 6:03:43 AM UTC-4, David Evans wrote:
>>
>> There was some discussion previously (see 
>> https://code.djangoproject.com/ticket/17419) of adding a JSON encoding 
>> filter to Django. This was rejected as being impossible (or very difficult) 
>> to do securely. However the requirement to embed JSON in an HTML page is 
>> quite a common one, and it's easy to get wrong and create XSS 
>> vulnerabilities. We should make it easy for people to do the right thing.
>>
>> I propose a ``json`` tag (implementation 
>> here) 
>> which outputs the entire script element as well as the JSON data. By 
>> enforcing the context in which in the JSON is output, it's possible to 
>> escape it securely.
>>
>> It would have two basic modes of operation. The first, and recommended, 
>> one would look like this:
>>
>> {% json data id="initial-data" %}
>>
>>
>> and would produce HTML like this:
>>
>> 
>>   {"foo": "bar"}
>> 
>>
>>
>> The resulting data would be accessed in JavaScript like this:
>>
>> var el = document.getElementById('initial-data');
>> var initialData = JSON.parse(el.textContent || el.innerText);
>>
>>
>> This is compatible with a strict Content Security Policy which prohibits 
>> all in-page script execution and maintains a clean separation between 
>> passive data and executable code.
>>
>> The second mode of operation would look like this:
>>
>> {% json data var="initialData" %}
>>
>>
>> and would produce HTML like this:
>>
>>
>> 
>>   var initialData = {"foo": "bar"};
>> 
>>
>>
>> This isn't compatible with strict CSP but it is perhaps simpler and more 
>> familiar to many developers, and not fundamentally insecure, so it should 
>> still be supported.
>>
>> Of course, the key issue is whether this can be done securely. In the 
>> gist below is a proposed implementation with links to the sources I've used 
>> to ensure I'm escaping things correctly: 
>> https://gist.github.com/evansd/41ea9dfc90d87f6afde1
>>
>> If people are happy with it then I can create a proper pull request with 
>> docs etc.
>>
>> Thanks,
>>
>> Dave
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8dfe3cf8-f55b-4b51-bb04-a362fc4876a1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Why not Single Table Inheritance?

2014-05-15 Thread Tom Evans 
On Thu, May 15, 2014 at 4:11 PM, Christian Schmitt
 wrote:
> This is already merged.
>
> https://docs.djangoproject.com/en/1.6/topics/db/models/#multi-table-inheritance
>

MTI is not STI, nor is it polymorphic.

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFHbX1%2BUzp1VpY7JNK4%2BCV%3Djr8Ave7Gt7jbtW6JMs9B_KVacsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Why not Single Table Inheritance?

2014-05-15 Thread Christian Schmitt 
This is already merged.

https://docs.djangoproject.com/en/1.6/topics/db/models/#multi-table-inheritance



Am Montag, 12. Mai 2014 11:27:01 UTC+2 schrieb guettli:
>
> Single Table Inheritance is used by ruby-on-rails and SQLAlchemy. 
>
> Are there reasons why it is used in django? 
>
> I would love to see a polymorphic inheritance solution in django. 
>
> I know that there are third party apps which provide this, but 
> something like this should be in the core. 
>
> There was some discussion about this [1]. One reason against it was, 
> that supporting not-null is not available. But a db constraint which 
> checks the type and data column could solve this. 
>
> What do you think? 
>
>Thomas Güttler 
>
> [1] 
> https://code.djangoproject.com/wiki/ModelInheritance#a1.ModelingparentrelationsinSQL
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/7df9c4cb-daa2-41be-b08f-804dbba348e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.