You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a default, components bring their attributes fully into the frontend. This can lead to serious security vulnerabilities when sensible (e.g. model) data is accessible as Javascript /JSON data in the rendered html page.
I think Unicorn should change this behaviour while <1.0.0, and go down the "security first" road the rest of Django does as well. There is no problem in adding the attribute to the template context, as templates are "backend" code. But the HTML page should NOT contain data as default.
deprecate the Meta.javascript_exclude keyword, this should be the default.
add a javascript_include keyword (or something more simple) to actively include data into the frontend.
E.g. Tetra goes a perfect way here: you have to wrap an attribute with public to make it show up in the frontend. I like this idea, as the meta information stays close to the attribute itself.
Same could go to methods.
There could be other ways like the current inner Meta class approach too - and maybe this is more "unicornic", as most users know that way already.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
As a default, components bring their attributes fully into the frontend. This can lead to serious security vulnerabilities when sensible (e.g. model) data is accessible as Javascript /JSON data in the rendered html page.
I think Unicorn should change this behaviour while <1.0.0, and go down the "security first" road the rest of Django does as well. There is no problem in adding the attribute to the template context, as templates are "backend" code. But the HTML page should NOT contain data as default.
Meta.javascript_excludekeyword, this should be the default.javascript_includekeyword (or something more simple) to actively include data into the frontend.E.g. Tetra goes a perfect way here: you have to wrap an attribute with
publicto make it show up in the frontend. I like this idea, as the meta information stays close to the attribute itself.Same could go to methods.
There could be other ways like the current inner Meta class approach too - and maybe this is more "unicornic", as most users know that way already.
Beta Was this translation helpful? Give feedback.
All reactions