alejandro | jose_n: how these python frameworks protect your applications? do you need to validate the user input? |
jose_n | i'll get to that around slide 22, with FormEncode |
jose_n | very easy to do |
jose_n | what i typically do is to not trust user supplied input for things like page indices or whatnot, i try and map them to a type |
jose_n | if try/excep fails, i bubble up an error or return them to the index to chose again (ie someone munged the URL) |
jose_n | but for form submissions, FormEncode and the validators work very well and in a very simple fashion |
alejandro | ok, then you need to make validation like in another frameworks as Ruby on Rails |
jose_n | right, cherry py doesn't give that to you for free |
alejandro | I was thinking about a parameter mapping in GET/POST made by the own framework. :-) |
jose_n | some other frameworks, like myghty (with routes) does |
alejandro | ah ok, searching djwango security problems, I didnt found a good overview about security problems and if it was mitigated the threat with the new model. |
jose_n | yeah, the author didn't do a good job of explaining how it mitigates those |
jose_n | my experience has been that it either gracefully avoids it or it will say "i don't understand you" |
jose_n | i haven't been able to break any of our django apps with junk input |
alejandro | then djwango protects the web application of common injections? or you mean using own validation kind of FormEncode or Validation controls? |
jose_n | both, as best i can tell |
alejandro | I havent programmed yet with Djwango, but in Ruby on Rails you need to use language validation kind: <%=h data %> |