Thanks! That's a great place for me to start. While we're on the general topic of security, I've got another question. In my application, users are also allowed to upload a file, which will be served (to allow other users or visitors to download it). I've used a clean_<fieldname>() method on the form to scan the file name for disallowed extensions (using the regexp r"(?i)(?P<ext> (?:cgi|htaccess|php[0-9s]?|[ps]html?|pl|pyc?|rb)(?:\..+)?)$"), and add ".txt" if such an extension is found. Is this sufficient, or should I come up with a whitelist for uploads too? Obviously the latter would be safer, but there's worth in having the added flexibility, provided I haven't left a huge hole open.
On Feb 23, 4:50 pm, Andy Mckay <a...@clearwind.ca> wrote: > On 23-Feb-09, at 1:45 PM, Michael Repucci wrote: > > > Of course, now I'm a bit scared (thanks to my inexperience), and > > tempted to not use the safe filter at all, letting everything get > > escaped. But there are thousands of sites (e.g., message boards, blog > > sites, etc.) where users can post messages that contain HTML - as I'd > > like to do with my application - so I suspect that there must be > > relatively simple solution. Am I wrong? I would think Django would > > have something specifically tailored to deal with this. If not, would > > it be enough to simply remove text between <script></script> tags, or > > are XSS attacks possible through other HTML tags as well (that's still > > a bit unclear to me)? Thanks for your help! > > You want to use a script to only allow certain HTML tags and enforce a > whitelist. Don't be naive and just use string or regular expression to > strip only a few, there's lots of hacks that can be done. I use the > SGMLParser in Plone, here's an old > one:http://code.activestate.com/recipes/52281/ > some googling will probably find you more. > -- > Andy McKay > ClearWind Consulting:www.clearwind.ca > Blog:www.agmweb.ca/blog/andy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
