Hacker News new | ask | show | jobs
by traverseda 1383 days ago
Uhh, don't use the "safe" filter on user data that you're embedding in javascript, as that introduces arbitrary code injection attacks.

As for the default representation not being flat like the author needed, you can use the "values_list" method on your queryset.

I worry that articles like this lead to "the blind leading the blind". The arbitrary js injection attack enabled by their first example is concerning, and really should be accompanied by a big disclaimer saying "don't mess around with this filter unless you actually know what you're doing".
1 comments
brento 1382 days ago
See my comment here: https://news.ycombinator.com/item?id=32750266
link
traverseda 1382 days ago
Right, but in another comment you talk about serializing querysets, and I'd be surprised if you can guarantee that no other developer will ever put dangerous data in any of the rows in your queryset. That approach would be building a pretty dangerous foot gun.

Just the whole approach gets dangerously close to a big security issue, even if you do it "right".

link
brento 1381 days ago
This is valid. I'll add an update to the post people should use caution and think about security.
link