Re: Re: XSS and Secure HTML Filtering

[Oliver Lavery]

James,

That's perfect thanks! If I have to role my own at least using a validator like relax ng makes it somewhat less painful.

Jing though? Eeep, all them Java VMs firing up could get costly. Perhaps I'll try to hack it to use xmllint.

Cheers,
~ol

On 11/7/06, James Bennett <[EMAIL PROTECTED]> wrote:

On 11/7/06, Oliver Lavery <[EMAIL PROTECTED]> wrote:
> Thanks. Output filtering is definitely a good thing, but I'm more worried
> about input filtering. If users are allowed to submit HTML that will be
> displayed to other users, I want to pass the HTML through a strict validator
> to keep them from posting scripts.

There's actually a somewhat non-obvious but still not-too-hard
solution for that, assuming you're using XHTML or that you require
HTML which can pass as well-formed XML in a pinch: Django's XMLField
allows you to specify a schema against which input for that field will
be validated (though it requires you to have Jing, a RELAX NG schema
validator, installed on your server). I've used that, and seen it
used, for other purposes, but it's definitely something that has a lot
of unexplored potential.

Defining a relatively safe subset of (X)HTML as a schema, and using
that on an XMLField, wouldn't be terribly difficult and would be a
good start (though, of course, not a complete solution) for safe
input.

I agree, though, that safety needs to happen at both ends of the
process (and IIRC I mentioned that a few times when escaping came up
previously.


--
"May the forces of evil become confused on the way to your house."
  -- George Carlin


--~--~---------~--~----~------------~-------~--~----~
 You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

• Previous message
• View by thread
• View by date
• Next message

• Re: XSS and Secure HTML Filtering SmileyChris
• • Re: Re: XSS and Secure HTML Filtering James Bennett
  • Re: XSS and Secure HTML Filtering Oliver Lavery
  • • Re: XSS and Secure HTML Filtering SmileyChris
  • Re: XSS and Secure HTML Filtering Oliver Lavery
  • • Re: Re: XSS and Secure HTML Filtering James Bennett
    • • Re: Re: XSS and Secure HTML Filtering Oliver Lavery
      • • Re: Re: Re: XSS and Secure HTML Filtering James Bennett

Reply via email to