Edgewall Software

Changes between Version 116 and Version 117 of GenshiTutorial

Show
Ignore:
Timestamp:
02/02/10 21:30:53 (4 years ago)
Author:
anonymous
Comment:

fixed typo: "let us now" -> "let us know"

Legend:

Unmodified
Added
Removed
Modified
  • GenshiTutorial

    v116 v117  
    14411441 '''Note:''' this is just one way to add sanitization. Another equally valid approach would be to store comment submissions exactly how they were entered, and sanitize them when they are displayed. Or you could have two fields in the model: one to store the text as originally submitted, and the other to store the sanitized content ready for display. Or, if you were really paranoid, you'd sanitize both the input and the output. Which method you choose depends on the needs of your particular application. 
    14421442 
    1443 You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us now]. 
     1443You may want to try performing some XSS attacks by including malicious HTML markup in comments. Try some of the methods shown on the [http://ha.ckers.org/xss.html XSS Cheat Sheet]. You should not be able to get past the sanitizer; if you are, please [/newticket let us know]. 
    14441444 
    14451445We're almost done—the only remaining task is to update the Atom feed so that it, too, includes the user-submitted HTML tags as markup, instead of as escaped text. Open `geddit/templates/info.xml`, and update it to look as follows: