Security implications of using the form.fields dictionary directly
7 views
Skip to first unread message
vpetkov
Aug 31, 2011, 5:26:36 AM8/31/11
to Django users
Hi all,
In relation to my previous post (unanswered,
http://groups.google.com/group/django-users/browse_thread/thread/aad6fc7e6ad71b4f)
I would like to ask about the security implications of doing the
following:
What I would like to have in the template is:
{{ form.tueren.A}}
{{ form.tueren.B }},
etc.
If I inherit from form.Field and create a tueren FormField with
attributes A,B, etc. I have a direct access to it via
form.fields['tueren'], so
I can write in the template:
{{ form.fields.tueren.A}}
{{ form.fields.tueren.B }}
However, this effectively circumvents the default mechanism of
instantiating a BoundField that restricts the use of the Field in
certain ways, so I was wondering what kind of security repercussions
this might have?
Best regards,
Venelin Petkov
In relation to my previous post (unanswered,
http://groups.google.com/group/django-users/browse_thread/thread/aad6fc7e6ad71b4f)
I would like to ask about the security implications of doing the
following:
What I would like to have in the template is:
{{ form.tueren.A}}
{{ form.tueren.B }},
etc.
If I inherit from form.Field and create a tueren FormField with
attributes A,B, etc. I have a direct access to it via
form.fields['tueren'], so
I can write in the template:
{{ form.fields.tueren.A}}
{{ form.fields.tueren.B }}
However, this effectively circumvents the default mechanism of
instantiating a BoundField that restricts the use of the Field in
certain ways, so I was wondering what kind of security repercussions
this might have?
Best regards,
Venelin Petkov
Daniel Roseman
Sep 3, 2011, 4:35:38 AM9/3/11
to django...@googlegroups.com
I don't know why you think there would be security implications. Your templates are under your control, on your server, so assuming your server is reasonably secure there's nothing an attacker can do - actually, even if it isn't, there's nothing an attacker can do that wouldn't be easier in the views, which they would also have access to if they broke in.
The reason for the BoundField distinction is nothing to do with security, it's - as the name implies - that the field is bound to a value, which can then be displayed or validated. If you bypass that, you lose most of the functionality of fields and therefore most of the reason for using them in the first place.
--
DR.
Doug Ballance
Sep 3, 2011, 1:52:02 PM9/3/11
to Django users
The most elegant way I've seen specialized form rendering handled was
the use of template tags and filters. The django uni-form project is
a good example. By using the filter and template tags you gain full
access to all the form elements, and can do easy manipulation in
python, but leave the rendering and html to a template.
if you wanted your multiplecheckboxes field to render in three columns
you could write a filter (formfield_columns for example) that took the
formfield as parameter, and the number of columns and returned the
appropriate breakdown with the right info that might be used something
like this:
{% for row in myform.field|formfield_columns:3 %}
<tr>
{% for cb in row %}
<td>
<input id= "{{cb.id}}" type="checkbox" name="{{cb.name}}}"
value="cb.value" {% if cb.checked %}checked{% endif%}/> <label
for="{{cb.id}}">{{cb.label}}</label>
</td>
{% endfor %}
</tr>
{% endfor %}
where your filter converted the field into a list of rows, with each
checkbox representating a dict populated with values (keys checked,
name, id, label) from the form field.
you could also make a filter that does a single value in your
multiplecheckbox field
{{form.field|formcheckbox_value:"myvalue"}}
the use of template tags and filters. The django uni-form project is
a good example. By using the filter and template tags you gain full
access to all the form elements, and can do easy manipulation in
python, but leave the rendering and html to a template.
if you wanted your multiplecheckboxes field to render in three columns
you could write a filter (formfield_columns for example) that took the
formfield as parameter, and the number of columns and returned the
appropriate breakdown with the right info that might be used something
like this:
{% for row in myform.field|formfield_columns:3 %}
<tr>
{% for cb in row %}
<td>
<input id= "{{cb.id}}" type="checkbox" name="{{cb.name}}}"
value="cb.value" {% if cb.checked %}checked{% endif%}/> <label
for="{{cb.id}}">{{cb.label}}</label>
</td>
{% endfor %}
</tr>
{% endfor %}
where your filter converted the field into a list of rows, with each
checkbox representating a dict populated with values (keys checked,
name, id, label) from the form field.
you could also make a filter that does a single value in your
multiplecheckbox field
{{form.field|formcheckbox_value:"myvalue"}}
Reply all
Reply to author
Forward
0 new messages