I'm certainly worried about both, but I would like the users to be able to add JavaScript. Changes to the site will actually have to be monitored for offensive content (including both JavaScript and offensive language), so hopefully such content wouldn't be up for very long. But I was just worried that an attack on the server could (in theory) be made before the site manager had a chance to monitor, and remove, an offending script.
But perhaps I'm going about this in completely the wrong way. I'm by no means a professional web developer; I'm completely self-taught. So any further advice you could give would be great. Thanks! On Feb 23, 2:48 pm, Mark Jones <mark0...@gmail.com> wrote: > Kind of sucks that you are worried about your server, but not worried > about the people that might use your site. > > I'd answer your question regarding JS except for the fact I think the > server and the clients should be safe for the general public, and I > don't want to make it that easy on you. Allowing some script kiddie > to load JS into a field that will play back on someone else's machine > is reprehensible, even if those users aren't smart enough to install > noscript. > > On Feb 23, 1:32 pm, Michael Repucci <mich...@repucci.org> wrote: > > > Hi Django'ers, this will probably sound like a silly question, but > > normally I haven't had to think about server security (that's been > > someone else's job). However, on my current project I do need to > > consider this, and I just wanted to double-check that I understand the > > risks of using the "safe" tag in HTML templates. > > > I've got users that I shouldn't entirely trust, who have access to a > > TextField in a model, and that field is displayed in the resultant > > HTML with the safe filter. Now, I understand that that means the user > > could put JavaScript (or similar) in this field, and it will be > > triggered when the page loads. But this doesn't present a threat to > > the server security does it? PHP includes won't be interpreted, so > > that's not a problem, and JavaScript doesn't have access to the server > > file system, right? I'm just not sure whether there is potential HTML > > code that could be used to actually damage the server, access its > > files, or cause a DoS attack. > > > Any help would be greatly appreciated! Thanks in advance!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
