On Fri, Feb 18, 2011 at 1:52 PM, dave b <db.pub.m...@gmail.com> wrote:
> Hi I cannot see where in the django documentation it states that you
> shouldn't do something like this:
> <a href="{{usercontrolled}}">  ** (as an example of a potential
> attribute injection vector[0] - where you are not using a URLField or
> failure to call full_clean (on a URLField) ).
> That is I cannot see where django states that 'oh by the way our
> autoescape isn't safe in a few cases' and 'you should watch out for
> attribute injection!'.
>
> So did I miss it?
>
> [0] - the user-controlled link could be javascript:alert(1)
>
>
>

Aha, I thought this was more interesting than it was. Obviously, if
you stick user generated input into a HTML attribute, then the value
of that HTML attribute is controlled by the user (and that should be
obvious enough that it shouldn't need to be mentioned..)

I thought you were inferring that something like this could be dangerous:
ctxt=Context({'user_input': '" onclick="alert(\'pwned\')'})
tmpl=Template('<a href="#" alt="{{ user_input }}">foo</a>')
tmpl.render(ctxt)

Which of course it can't - it is properly escaped.

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Reply via email to