On 11/7/06, Oliver Lavery <[EMAIL PROTECTED]> wrote: > Thanks. Output filtering is definitely a good thing, but I'm more worried > about input filtering. If users are allowed to submit HTML that will be > displayed to other users, I want to pass the HTML through a strict validator > to keep them from posting scripts.
There's actually a somewhat non-obvious but still not-too-hard solution for that, assuming you're using XHTML or that you require HTML which can pass as well-formed XML in a pinch: Django's XMLField allows you to specify a schema against which input for that field will be validated (though it requires you to have Jing, a RELAX NG schema validator, installed on your server). I've used that, and seen it used, for other purposes, but it's definitely something that has a lot of unexplored potential. Defining a relatively safe subset of (X)HTML as a schema, and using that on an XMLField, wouldn't be terribly difficult and would be a good start (though, of course, not a complete solution) for safe input. I agree, though, that safety needs to happen at both ends of the process (and IIRC I mentioned that a few times when escaping came up previously. -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
