Re: Admin user privilege elevation (how to prevent it)

On Tue, May 15, 2012 at 8:59 AM, Stephen McDonald <stephen.mc@gmail.com> wrote:
> Stephen from Mezzanine here - thanks for the thorough response Russ.
>
> The cleansing process we go through is very rigorous - we're leaning
> on the shoulders of tools that have solved this problem (in our case
> the bleach library). It uses a white-list of tags and attributes, so
> all those tricky edge cases around event handlers as attributes are
> solved with a well-documented white-list based on known XSS vectors.

Hi Stephen,

Just to be clear to everyone -- I'm not accusing Mezzanine of doing
something wrong here. As far as I can make out, Mezzanine is doing the
very best it can do under the circumstances. Leveraging an existing
trusted library for cleansing is the best possible solution given the
constraints for this particular problem.

Unfortunately, as you've pointed out, there's no way to do it the
"right way" (i.e., not trusting user content) in this case, so the
best you can do is lock down everything as much as possible, and give
users what remains of the shotgun and hope they don't point it at
anything too critical :-)

Russ %-)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.