On Fri, Feb 18, 2011 at 1:52 PM, dave b <db.pub.m...@gmail.com> wrote: > Hi I cannot see where in the django documentation it states that you > shouldn't do something like this: > <a href="{{usercontrolled}}"> ** (as an example of a potential > attribute injection vector[0] - where you are not using a URLField or > failure to call full_clean (on a URLField) ). > That is I cannot see where django states that 'oh by the way our > autoescape isn't safe in a few cases' and 'you should watch out for > attribute injection!'. > > So did I miss it? > > [0] - the user-controlled link could be javascript:alert(1) > > >
Aha, I thought this was more interesting than it was. Obviously, if you stick user generated input into a HTML attribute, then the value of that HTML attribute is controlled by the user (and that should be obvious enough that it shouldn't need to be mentioned..) I thought you were inferring that something like this could be dangerous: ctxt=Context({'user_input': '" onclick="alert(\'pwned\')'}) tmpl=Template('<a href="#" alt="{{ user_input }}">foo</a>') tmpl.render(ctxt) Which of course it can't - it is properly escaped. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.