Comments on: On Sandboxing Genshi http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/ Armin Ronacher thinking Thu, 28 Aug 2008 02:43:27 +0000 http://wordpress.org/?v=2.2 By: Alice McGregor http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-10564 Alice McGregor Tue, 19 Aug 2008 08:24:50 +0000 http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-10564 I'm -very- interested in securing Genshi. Specifically removing any possibility of users including other files or even building blocks whatsoever. That would go a long way towards securing a template. I couldn't easily tell what changes you had made in your branch, if any. Is there any forward progress? I’m -very- interested in securing Genshi. Specifically removing any possibility of users including other files or even building blocks whatsoever. That would go a long way towards securing a template.

I couldn’t easily tell what changes you had made in your branch, if any. Is there any forward progress?

]]> By: Armin Ronacher http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-468 Armin Ronacher Thu, 27 Sep 2007 16:17:53 +0000 http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-468 I have no idea how comments are parsed in WordPress, probably some limited amount of HTML, i shortened the link in the admin. That thing is definitively bad, I thought the django template loader makes sure nothing outside of the django root is included. That couldn't happen with Genshi ;-) I have no idea how comments are parsed in WordPress, probably some limited amount of HTML, i shortened the link in the admin.

That thing is definitively bad, I thought the django template loader makes sure nothing outside of the django root is included. That couldn’t happen with Genshi ;-)

]]> By: Christopher Lenz http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-466 Christopher Lenz Thu, 27 Sep 2007 12:37:41 +0000 http://lucumr.pocoo.org/cogitations/2007/09/26/on-sandboxing-genshi/#comment-466 Btw, about Django templates being sandboxed/secure: <a href="http://groups.google.com/group/django-developers/browse_thread/thread/28eac0b3787de93/51e1946f5b97e97e#51e1946f5b97e97e" rel="nofollow">include tag security hole</a> (Hope that comes out right, there are no hints here about how comments are supposed to be formatted to include links etc) Btw, about Django templates being sandboxed/secure:

include tag security hole

(Hope that comes out right, there are no hints here about how comments are supposed to be formatted to include links etc)

]]>