On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote:
> Oh - I haven't heard of the magic_quotes fiasco. Do you have any
> links or more information about this? If it blew up for the PHP
> folks, I think I'd be prone to changing my position on the issue.
The magic_quotes setting in PHP is a "feature"
On Jun 21, 2006, at 8:50 PM, James Bennett wrote:
> Has the world honestly learned not one single solitary thing form
> PHP's magic_quotes fiasco? Autoescaping all output by default is
> something that is unequivocally not acceptable.
Oh - I haven't heard of the magic_quotes fiasco. Do you have a
If you don't ever want to display the html then it shouldn't be
stored in the first place. The escaping/removing should be done when
processing the input. What's better:
1. escaping/removing when the data is saved (one time occasion) or
2. escaping/removing each time the data is used (infinit
On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote:
> This is my preferred choice, as well, but I'm not well-versed enough
> in the internals of Django to know if allowing empty models can
> create other problems outside of the admin interface. If anyone could
> point me to the relevant areas of cod
On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote:
> Then again, how often do you *want* to allow your users to put HTML
> and JS in and allow it to be executed? Not often, I imagine.
This depends completely on the type of application. Some applications
will have very little HTML input by users, b
On Jun 21, 2006, at 6:57 PM, Jacob Kaplan-Moss wrote:
> Yes, I agree -- I've never been against a template tag which does
> autoescape because that's still leaving power in the hands of the
> template authors.
Then again, how often do you *want* to allow your users to put HTML
and JS in and al
On Jun 21, 2006, at 9:29 PM, SmileyChris wrote:
> Out of interest, have you (both Jacob and anyone else involved in this
> discussion) seriously tried an auto-escaping templating system and had
> a problem with it opposing your needs?
At the risk of turning this into a war stories thread, I've ha
Hi Jacob,
On Jun 21, 2006, at 5:16 PM, SmileyChris wrote:
> > Having used TAL a lot (like KID, automatically escapes), I did not
> > actually find this annoying.
Jacob Kaplan-Moss wrote:
> I really wish there was a way of saying this that didn't make me
> sound like a jerk... but:
>
> If y
On Jun 21, 2006, at 8:35 PM, Todd O'Bryan wrote:
> Does there seem to be consensus out there among web frameworks about
> whether escape=default, raw=exception or raw=default,
> escape=exception?
Not really sure, myself -- my impression is that most web frameworks
don't think about XSS all th
On Jun 21, 2006, at 6:41 PM, Jacob Kaplan-Moss wrote:
> There's
> no right and wrong here, there's just what "fits" with the rest of
> the framework, and encapsulating a distrust of the developer into
> this framework doesn't feel right.
Does there seem to be consensus out there among web framew
On Jun 21, 2006, at 7:47 PM, Malcolm Tredinnick wrote:
> Sorry about that. I had not properly remembered that portions of
> runtests.py were used to generate the docs. :-(
Oh, no problem -- the doc generation code is a total one-off anyway,
so I kinda expect having to maintain it from time to t
I have to agree with these comments.
get the crap out at the 'input'/validation level.. once it has the
database/rendering stage it is too late.
while this submission isn't perfect, this is what I did to protect
against my own laziness on externally facing apps.
http://svn.zyons.python-hosti
On Jun 21, 2006, at 4:49 PM, Malcolm Tredinnick wrote:
> What are the use cases for this sort of construction?
> [...]
I've always thought that any decent computer tool should either a) do
what you tell it to, or b) tell you why it can't/won't do what you
want it to (warnings, exceptions, et
On Wed, 2006-06-21 at 19:42 -0500, Jacob Kaplan-Moss wrote:
> On Jun 21, 2006, at 7:28 PM, Jeremy Dunck wrote:
> > Was it Unicode? How did you find the offending bits? Is it something
> > we could have helped with? (Can we help next time?)
>
> Nah, just a small change in the layout of the test
On Jun 21, 2006, at 7:28 PM, Jeremy Dunck wrote:
> Was it Unicode? How did you find the offending bits? Is it something
> we could have helped with? (Can we help next time?)
Nah, just a small change in the layout of the test directory that
broke the update script (see http://code.djangoproje
On 6/21/06, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
>
> On Jun 21, 2006, at 8:25 AM, Malcolm Tredinnick wrote:
> > I noticed earlier this evening that automatic documentation rebuilds
> > aren't happening, either (models-api.txt and templates.txt have both
> > been updated today).
>
> OK, got
On Wed, 2006-06-21 at 13:35 -0700, Tyson Tate wrote:
> I posted a ticket (#1972) a while ago and there's been a few other
> tickets reporting the same issue, so it sound like an issue that
> should be addressed.
>
> Basically: A model with no explicit fields doesn't get created by
> syncdb,
On Jun 21, 2006, at 3:31 PM, Jacob Kaplan-Moss wrote:
> [...]
> Another place to start solving the XSS problem is at the input level;
> a policy of "don't trust data from the web" makes a lot more sense to
> me than one of "don't trust the template author".
Modded "+5 Insightful" :) I can attest
On Jun 21, 2006, at 8:25 AM, Malcolm Tredinnick wrote:
> I noticed earlier this evening that automatic documentation rebuilds
> aren't happening, either (models-api.txt and templates.txt have both
> been updated today).
OK, got this fixed (thanks!)
Jacob
--~--~-~--~~~---
On Jun 21, 2006, at 5:16 PM, SmileyChris wrote:
> Having used TAL a lot (like KID, automatically escapes), I did not
> actually find this annoying.
I really wish there was a way of saying this that didn't make me
sound like a jerk... but:
If you like TAL better, use it.
Again, I'm not
Hi,
How about adding a command to django-admin.py that scans all the
templates of the project and enabled apps and gives you a list of
templates that have unescaped values in them, maybe even display the
tags/lines concerned. IMHO this could be very valueable info for a
developer.
Rudolph
--~-
On Jun 21, 2006, at 12:13 PM, Simon Willison wrote:
> Rather than directly accessing GET and POST data
> you do it through some mechanism that /guarantees/ the format of the
> data returned - and raises an exception if it can't make that
> guarantee. There is no possible way of invalid data ending
James Bennett wrote:
> Security by annoyance is security that people learn to hate and turn
> off as soon as they can, so in the end it doesn't really make them any
> more secure than they were before.
Having used TAL a lot (like KID, automatically escapes), I did not
actually find this annoying.
On 6/21/06, oefe <[EMAIL PROTECTED]> wrote:
>
> Agreed.
> To prevent XSS vulnerabilities because someone forgot to specify the
> escaping rule, I would suggest that templates should, maybe even must
> specify their escaping. For example, require each template to contain a
> special {% autoescape
Hi,
I'm new to this group, so let me give you a little background about
myself:
I'm not a professional web developer (I'm writing Windows apps), but
have done a few private web projects for fun and to learn new things. I
recently redsigned a TurboGears project in Django, and liked the
experience
I posted a ticket (#1972) a while ago and there's been a few other
tickets reporting the same issue, so it sound like an issue that
should be addressed.
Basically: A model with no explicit fields doesn't get created by
syncdb, but syncdb doesn't throw any warnings or errors. Consider the
On 6/21/06, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
> We don't; my conversations with the company lawyers seemed to
> indicate that you're implicitly assigning copyright simply by
> submitting code to an OSS project. Of course IANAL, but I'm going to
> trust what the ones we talked to say be
On Jun 21, 2006, at 1:26 PM, Deryck Hodge wrote:
> I just wondered if Django had any copyright
> contingencies when submitting large chunks of code (obviously, small
> patches aren't as much a concern.) No biggie, if not.
We don't; my conversations with the company lawyers seemed to
indicate t
Hi, Wilson.
On 6/21/06, Wilson Miner <[EMAIL PROTECTED]> wrote:
>
> AFAIK this is a non-issue with BSD. Under BSD, LJW can do anything
> with code that becomes part of Django, and so can anybody else. If you
> copyright your code, that's independent from you submitting it as a
> patch or committi
Hello
Now, I am sharing with you
another website that is excellent for IT Jobs.
Currently, this website has
more than 6000 IT Jobs And 100 new IT Jobs are coming
daily.
Please check this link and enjoy
your dream job.
www.it-jse.com
Special thing about this website
is, they are present
On 21 Jun 2006, at 17:48, James Bennett wrote:
> And while we're at it, let's get serious about input handling. The
> first thing which occurs to me is to add a 'hasNoHTML' validator in
> django.core.validators; possibly this would be accompanied by a
> boolean 'allows_html' argument to TextFiel
AFAIK this is a non-issue with BSD. Under BSD, LJW can do anything
with code that becomes part of Django, and so can anybody else. If you
copyright your code, that's independent from you submitting it as a
patch or committing it to the project. Committers must be able to
attest that the code they
And just to clarify, when I talk about implementing the escaping
system, I mean a block tag which escapes everything inside itself as
appropriate. Nothing more, nothing less.
--
"May the forces of evil become confused on the way to your house."
-- George Carlin
--~--~-~--~~---
The more I think about it, the more I find I have two objections to
the auto-escaping stuff.
1. A philosophical objection. One thing Django does, and does pretty
well IMHO, is encourage best practices. Pretty much every aspect of
Django, from the overall architecture of the framework to the worki
[EMAIL PROTECTED] wrote:
> noone said "forbid nothing". i said "you don't need to forbid all '<'s",
> which is what you proposed was a problem with a data validation take.
My point was that your approach restricts user input. "<" was a
simple example for this.
Not that, first, it's not really s
noone said "forbid nothing". i said "you don't need to forbid all '<'s",
which is what you proposed was a problem with a data validation take.
you would obviously forbid html in an HTMLSafeCharField, which does limit
user's input. i'm just saying that in the vast, vast, vast majority of
form in
Hi, all.
Do you guys have any guidelines with regard to copyright when
accepting contributions from others? Does copyright need to be
assigned to Lawrence Journal-World when submitting to Django? Or do
programmers retain copyright and assign the code to the project under
the BSD license? (I kn
"My vote is for escaping being off unless explicitly turned on, and for it being turned on in the template."
My thoughts exactly, my templates are the places that define the output of my applications. I can see the benefits of people been able to define how escaping happens _in the template_, _if
[EMAIL PROTECTED] wrote:
> not true. no browser interprets a single "<" as a tag unless it has a
> valid tag name (and company) and closing ">" directly after it. only the
> most rudimentary implementations would blindly strip "<"s without looking
> at their context.
So, how exactly would you v
not true. no browser interprets a single "<" as a tag unless it has a
valid tag name (and company) and closing ">" directly after it. only the
most rudimentary implementations would blindly strip "<"s without looking
at their context.
(and they would be wrong anyway - consider )
> Derek Hoy w
Derek Hoy wrote:
> On 6/20/06, SmileyChris <[EMAIL PROTECTED]> wrote:
>> But it is an escaping issue.
>
> Isn't the most common use case for this the problem of people entering
> bad stuff into a form? In which case, regarding it as a validation
> issue seems good to me.
This is the perl-taint-a
On Wed, 2006-06-21 at 05:35 -0700, Luke Plant wrote:
>
> Jacob Kaplan-Moss wrote:
>
> > Yeah, the media server failed early this morning.
> >
> > It should be fixed now, but I think the updates still aren't being
> > sent and I'll look into it.
>
> Cheers, updates seem to be working now. The c
On 6/20/06, SmileyChris <[EMAIL PROTECTED]> wrote:
>
> But it is an escaping issue.
Isn't the most common use case for this the problem of people entering
bad stuff into a form? In which case, regarding it as a validation
issue seems good to me.
For example, I used Webmin a few days ago to fix s
Hi Andrew,
it appears to be decided that Adrian won't include auto-escaping,
but I'd like to round-up this discussion so that we can gather
the pros and cons somewhere. I bet that this discussion will pop
up again ...
For as much as I see, the discussion looks pretty thorough. I
acknowledge your
Jacob Kaplan-Moss wrote:
> Yeah, the media server failed early this morning.
>
> It should be fixed now, but I think the updates still aren't being
> sent and I'll look into it.
Cheers, updates seem to be working now. The community aggregator still
doesn't though.
Luke
--~--~-~--~--
Michael Radziej wrote:
>
> IMO, the point of auto-escaping is that the template author should not have
> to worry about
> the origin of the string, but about how he uses it. The origin of the string
> in the
> context can change, just for an example. Or are we talking about different
> meanings
46 matches
Mail list logo
