On Tue, May 15, 2012 at 8:59 AM, Stephen McDonald <stephen...@gmail.com> wrote: > Stephen from Mezzanine here - thanks for the thorough response Russ. > > The cleansing process we go through is very rigorous - we're leaning > on the shoulders of tools that have solved this problem (in our case > the bleach library). It uses a white-list of tags and attributes, so > all those tricky edge cases around event handlers as attributes are > solved with a well-documented white-list based on known XSS vectors.
Hi Stephen, Just to be clear to everyone -- I'm not accusing Mezzanine of doing something wrong here. As far as I can make out, Mezzanine is doing the very best it can do under the circumstances. Leveraging an existing trusted library for cleansing is the best possible solution given the constraints for this particular problem. Unfortunately, as you've pointed out, there's no way to do it the "right way" (i.e., not trusting user content) in this case, so the best you can do is lock down everything as much as possible, and give users what remains of the shotgun and hope they don't point it at anything too critical :-) Russ %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
