On Nov 8, 12:25 pm, "Oliver Lavery" <[EMAIL PROTECTED]> wrote:
> That's a pretty nice solution.
>
> Implicitness in this case is a desirable attribute, imho. For output
> filtering it would be nice to have HTML escaping be a sitewide default. This
> is just good security practice, deny by default,
On 11/7/06, Oliver Lavery <[EMAIL PROTECTED]> wrote:
> Jing though? Eeep, all them Java VMs firing up could get costly. Perhaps
> I'll try to hack it to use xmllint.
Well, Jing itself is not so bad, especially when you've compiled it.
That system grew largely out of our usage here at World Online
James,That's perfect thanks! If I have to role my own at least using a validator like relax ng makes it somewhat less painful.Jing though? Eeep, all them Java VMs firing up could get costly. Perhaps I'll try to hack it to use xmllint.
Cheers,~olOn 11/7/06, James Bennett <[EMAIL PROTECTED]> wrote:
O
On 11/7/06, Oliver Lavery <[EMAIL PROTECTED]> wrote:
> Thanks. Output filtering is definitely a good thing, but I'm more worried
> about input filtering. If users are allowed to submit HTML that will be
> displayed to other users, I want to pass the HTML through a strict validator
> to keep them f
That's a pretty nice solution.Implicitness in this case is a desirable attribute, imho. For output filtering it would be nice to have HTML escaping be a sitewide default. This is just good security practice, deny by default, and allow by exception. If I must have a < or a > in a output variable I w
James,Thanks. Output filtering is definitely a good thing, but I'm more worried about input filtering. If users are allowed to submit HTML that will be displayed to other users, I want to pass the HTML through a strict validator to keep them from posting scripts.
Imagine we have a hypothetical webs
On 11/7/06, SmileyChris <[EMAIL PROTECTED]> wrote:
> When I brought it up on the group a while ago, I hit resounding
> silence. It doesn't seem to be the hot topic it was a while back.
So bring it up again :)
I honestly don't remember seeing it, so it may have come across at a
time when everyone
> ... There's been
> extensive discussion of this on the developer list and thus far
> no-one's stepped up with a clean implementation that doesn't get in
> the way of some use cases (keep in mind that Django's template system
> is expected to be able to produce more than just HTML ...
I dunno, I
On 11/7/06, Oliver Lavery <[EMAIL PROTECTED]> wrote:
> I was a little disappointed to see that Django doesn't include a safe HTML
> checker / sanitizer. RoR has something along these lines afaik (which is
> very little in this case).
We include the 'escape' and 'striptags' filters, but there is n
9 matches
Mail list logo
