Hello,
is everybody fine with the documentation of mark_safe?
I think by default people don't come to the idea to use mark_safe
except on occasions, where they notice their output is not the desired
one. Then investigations on rendering to achieve the right output
lead to mark_safe() and by that time the developers have enough
knowledge how the whole stuff works internally.
With this flow there is no danger of misusing mark_safe.
Greetings
Дилян
----- Message from Douglas Miranda <
douglasmi...@gmail.com> ---------
Date: Thu, 22 Feb 2018 09:40:08 -0800 (PST)
From: Douglas Miranda <
douglasmi...@gmail.com>
Reply-To:
django-d...@googlegroups.com
Subject: Re: Consider renaming `mark_safe` to `dangerously_trust_html` (etc)
To: "Django developers (Contributions to Django itself)"
<
django-d...@googlegroups.com>
> Yes, people read *mark_safe* as *MAKE_safe*, I'm not sure yet, but I'm
> liking the idea of *trust_html*, I feel like more developers will
> understand what they're doing.
>
> Maybe the docs could have more detailed notes about HTML inputs that you
> want to mark them safe, one thing is trust "<span>" another is trust "{{
> post.content }}". Rich text editors play a big part of beginner devs, a lot
> of people start with Django and don't quite understand Python or Web
> Security yet, that's just reality.
>
> Django it is not to blame, but I think that's a small change with big
> impact.
>
>
> On Thursday, February 22, 2018 at 10:07:12 AM UTC-4, Adam Johnson wrote:
>>
>> I am also in favour of a rename without deprecating the old name.
>>
>> I like 'trust_html' - it's still similarly short but as Tom says it
>> implies more than 'mark_safe' does.
>>
>> On 22 February 2018 at 08:30, Tom Forbes <
t...@tomforb.es <javascript:>>
>> wrote:
>>
>>> What about just 'trust_html'? The dangerous part is quite context
>>> dependent (and a bit of mouth-full), but at the core you are trusting the
>>> HTML. Hopefully it follows that you should not trust html with user input
>>> that hasn't been escaped.
>>>
>>>
>>> On 22 Feb 2018 13:10, "Anthony King" <
anthon...@gmail.com <javascript:>>
>>> wrote:
>>>
>>> I entirely agree with renaming `mark_safe`. Though it's name is correct,
>>> it doesn't convey the gravity of what this actually does.
>>> However I'm unsure on the `dangerously_trust_html` name. It wouldn't be
>>> dangerous to trust the literal "<small>Some Content</small>", for example.
>>>
>>> Perhaps it could be something a bit more explicit. `no_escape(string)`?
>>> This assumes that most have at least heard of escaping.
>>>
>>>
>>> On 22 February 2018 at 12:16, Josh Smeaton <
josh.s...@gmail.com
>>>>>>> which *isn’t* actually safe (e.g. HTML from a rich text input) — is
>>>>>>> one of the biggest causes of XSS vulnerabilities in Django projects.
>>>>>>>
>>>>>>> The docs warn to be careful, but unfortunately I think Django devs
>>>>>>> have just got too used to mark_safe() being *the way* to insert HTML
>>>>>>> in a template. And it’s easy for something that was safe when it was
>>>>>>> authored (e.g. calling mark_safe() on a hard-coded string) to be
>>>>>>> copied / repurposed / adapted into a case which is no longer
>>>>>>> be safe (e.g.
>>>>>>> that string replaced with a user-provided value).
>>>>>>>
>>>>>>> Some other frameworks use scary sounding names to help reinforce that
>>>>>>> there are dangers around similar features, and that this isn’t
>>>>>>> something
>>>>>>> you should use in everyday work — e.g. React’s
>>>>>>> dangerouslySetInnerHTML.
>>>>>>>
>>>>>>> Relatedly, this topic
>>>>>>> <
https://groups.google.com/d/msg/django-developers/c4fa2pOcHxo/EtT942WnyiAJ>
>>>>>>> suggested
>>>>>>> making it more explicit that mark_safe() refers to being safe for
>>>>>>> use in *HTML* contexts (rather than JS, CSS, SQL, etc).
>>>>>>>
>>>>>>> Combining the two, it would be great if Django could rename
>>>>>>> mark_safe() to dangerously_trust_html(), |safe to
>>>>>>> |dangerously_trust_html, @csrf_exempt to @dangerously_csrf_exempt,
>>>>>>> etc.
>>>>>>>
>>>>>>> Developers who know what they’re doing with these could then be
>>>>>>> encouraged to create suitable wrappers which handle their use
>>>>>>> case safely
>>>>>>> internally — e.g.:
>>>>>>>
>>>>>>> @register.filter
>>>>>>> def sanitize_and_trust_html(value):
>>>>>>> # Safe because we sanitize before trusting
>>>>>>> return dangerously_trust_html(bleach.clean(value))
>>>>>>>
>>>>>>>
>>>>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Django developers (Contributions to Django itself)" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to
django-develop...@googlegroups.com <javascript:>.
>>>> <javascript:>.
>>>> <
https://groups.google.com/d/msgid/django-developers/db4ac958-89e1-4286-a616-99e9854c9bbb%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>> For more options, visit
https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to
django-develop...@googlegroups.com <javascript:>.
>>> <javascript:>.
>>>
https://groups.google.com/d/msgid/django-developers/CALs0z1YuC63d6aJ1VEhcnezpCg1NPJYpadcR4-fRRwGDrR4-qw%40mail.gmail.com
>>> <
https://groups.google.com/d/msgid/django-developers/CALs0z1YuC63d6aJ1VEhcnezpCg1NPJYpadcR4-fRRwGDrR4-qw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> For more options, visit
https://groups.google.com/d/optout.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Django developers (Contributions to Django itself)" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to
django-develop...@googlegroups.com <javascript:>.
>>> <javascript:>.
>>>
https://groups.google.com/d/msgid/django-developers/CAFNZOJPfw9ybsHOcs%3D9nfORtEJJz9pzKvEM7bRA6BaYwHXW3pQ%40mail.gmail.com
>>> <
https://groups.google.com/d/msgid/django-developers/CAFNZOJPfw9ybsHOcs%3D9nfORtEJJz9pzKvEM7bRA6BaYwHXW3pQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>
https://groups.google.com/d/msgid/django-developers/ce94677d-b400-4429-882d-4495d58b6f61%40googlegroups.com.
----- End message from Douglas Miranda <
douglasmi...@gmail.com> -----