On 23-Feb-09, at 1:45 PM, Michael Repucci wrote: > Of course, now I'm a bit scared (thanks to my inexperience), and > tempted to not use the safe filter at all, letting everything get > escaped. But there are thousands of sites (e.g., message boards, blog > sites, etc.) where users can post messages that contain HTML - as I'd > like to do with my application - so I suspect that there must be > relatively simple solution. Am I wrong? I would think Django would > have something specifically tailored to deal with this. If not, would > it be enough to simply remove text between <script></script> tags, or > are XSS attacks possible through other HTML tags as well (that's still > a bit unclear to me)? Thanks for your help!
You want to use a script to only allow certain HTML tags and enforce a whitelist. Don't be naive and just use string or regular expression to strip only a few, there's lots of hacks that can be done. I use the SGMLParser in Plone, here's an old one: http://code.activestate.com/recipes/52281/ some googling will probably find you more. -- Andy McKay ClearWind Consulting: www.clearwind.ca Blog: www.agmweb.ca/blog/andy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
