What would be the most effective way to misinform user input with Tastypie? Right now, if the user enters something like hi , the HTML tags are saved, so when it is displayed, the text is displayed in bold. How will I sanitize all input except the obj_create change for each resource?
Also, since I'm new to web security, should I also misinform user input in the interface? I'm not sure if I have to misinform the input before sending the POST request to the tastypie API, or if I have to sanitize the input when tastypie processes the input?
Edit: I found out that I can avoid HTML in my underline patterns by displaying data with <% -%> rather than <% =%>. Why does this not emphasize this by default? I feel that this is a big security risk. If I accidentally forget to do it somewhere, then I will turn around.
I think the above fixes the foreground security issue, but what about the back? Is there a way to see how vulnerable I am to SQL injection? Will tastypie sanitize input when I execute a POST / PUT request?
source
share