On 8/22/06, Ahmad Alhashemi <[EMAIL PROTECTED]> wrote:
> But if you keep poking holes in all the wrong places, then it is not
> the frameworks fault.
>
> Autoescaping might be a nice DRY feature, but I don't think it has
> anything to do with being secure by default.
Usable security is about maki
Ian Holsman wrote:
> On 21/08/2006, at 9:24 PM, [EMAIL PROTECTED] wrote:
>
> You deny everything by default, and have holes added when you need them.
> and when you poke a hole you have a reference to why it is required
> (ie what module needs a particular variable unfiltered)
>
> Things which yo
Op zo, 20-08-2006 te 12:14 +0300, schreef Ahmad Alhashemi:
> Note that you can do this outside of Django. I think that there is
> something like this for apache called mod_security. It works
> regardless of the scripting language/framework you are using.
I wonder if you know any *sensible* rules
On 8/22/06, Ian Holsman <[EMAIL PROTECTED]> wrote:
> On 21/08/2006, at 9:24 PM, [EMAIL PROTECTED] wrote:
> > @ Ahmad - mod_security (modsecurity.org) is fantastic, and I highly
> > recommend installing it on all apaches, but filtering content at the
> > webserver level is a sledgehammer approach a
On 21/08/2006, at 9:24 PM, [EMAIL PROTECTED] wrote:
>
> @ Ahmad - mod_security (modsecurity.org) is fantastic, and I highly
> recommend installing it on all apaches, but filtering content at the
> webserver level is a sledgehammer approach and should only be done for
> *really* bad content (e.g.
I haven't RTFA - so take this with a grain of salt, but this depends on
what you mean by data sanitisation. If you're talking application
arguments - then yes, these should be white listed. If however, you're
talking about user submitted content, then no.
Why? security in web applications is very
This reminds me of the autoescaping arguments.
Note that you can do this outside of Django. I think that there is
something like this for apache called mod_security. It works
regardless of the scripting language/framework you are using.
--Ahmad
On 8/20/06, Paul Sargent <[EMAIL PROTECTED]> wrote
Hi all,
I know the topic of auto-escaping user data comes up on here from time
to time. I just wondered if others had heard this.
http://www.twit.tv/floss12 PHP Creator - Rasmus Lerdorf
Say what you want about PHP (I'll happily join in ;-) ), but I found it
interesting to listen to the guy.
