Maybe you could write a filter "urlsafe" to use into templates so that variable does not contains javascript. And you could create a command that scan templates and raise an alert every variable inside an href attribute that is not "urlsafe".
But I believe that a tool is used to work, not to do the work for me. And Django is a tool. It's like the java paradox, java is a language that hidden a lot of problems, and try to resolve them without the programmers. Result: you cannot trust a java programmer, because often he doesn't know what the code really does. For this reason, I see that this kind of problems are better if you leave resolve by developers. The better solution is to document better the problem. I think it is out of the scope of djangodevtools. In other words, djangodevtools not is a library to development, but is a library to help the development process itself. On Wed, Feb 23, 2011 at 13:15, Mike Ramirez <gufym...@gmail.com> wrote: > On Wednesday, February 23, 2011 03:36:32 am you wrote: > > > Oh yes actually xsyncdb is just the syncdb taken from 1.3alpha. I'm > > > developing with 1.2.5 but try to take the good stuff from the trunk and > in > > > 1.3 is possible use an hidden load_initial_data paramenter :-) > > > > > Cool. > > > xloaddata is a more verbosing loaddata,often, in developing, some > changes > > > may send wrong the fixtures. xloaddata tell you which is last good > fixture > > > loaded before the erroe. (is just a print of obj) > > > > > The queston on xloaddata wasn't about this, but the use of zip vs gzip vs > bzip2. > > I never use zip for compressing data, just because it's one of the worst > compressions around. I prefer gzip/bzip/7z/rar (rarely on rar these days). > Because they are much better compression tools. The only point I can see to > adding support zip with a single file is to compress it to save some > diskspace/transfer, the other compressions make more sense to me. If adding > support for multiple files, zip is only usefull for random access, tar would > also need to be supported for multiple files. GZip/BZip as they are pure > compression and have no archiving available to them, without tar. Hence the > use of tarballs. > > gzip, bzip2 and tar all supported as part of the python standard library > along with zip and just wondering the reason for not using these. > > Just a fun fact: I only use zip when dealing with people who are not > technically inclined and don't understand the different > compression/archiving tools around and they don't know about 7zip, which is > very few people these days. This is why I'm curious. > > > xshell instead is a shortcut that load automatically all models of your > > > applications. With xshell you don't need to import from the shell your > > > models. > > > > > Got it, not my cup of tea though. In some cases I need to conserve memory > and this isn't condusive to that... see webfaction's hosting plans for an > example why I think this way. But nice still. > > > For the utility "scan templates" for obvious XSS mistakes, > > > it colud be a good tool, but I need your help to add this feature. I have > > > before to understand what you intend for obvious. > > > > > Well, that's why I linked the thread to you. Because it has the info there, > but there are certain rules for escaping some data loaded into templates. > > See the XSS Prevention Cheet Sheet for examples[1] This would be part of > the javascript utilities I think. Also see the OP's 1st post in the thread > linked in the other email for an example of what not to do in Django's > templates. > > If you're not really up on web site security, you should see the owasp > faq[2] You might be able to find other ways to enhance secure development > with your toolset. I think I might be interestined in helping you with some > of this, right now I have one site to build (from scratch) and upgrade 2 > others to 1.3, so time is limited, but I know this would be useful. Lets > keep an open dialog on this. > > For the most part django itself provides a lot of help under the hood for > alot of it. Like sql injection is bypassed a lot with the whitelisting of > urls and the orm itself escaping user supplied input and CSRF tokens for > some XSS attack vectors. > > Mike > > [1] http://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet > > [2] http://www.owasp.org/index.php/OWASP_Application_Security_FAQ > > -- > > Patch griefs with proverbs. > > -- William Shakespeare, "Much Ado About Nothing" > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
