msoucy
commented
2 years ago Sanitizing is all well and good, but if we used wtforms validators we wouldn't need as much sanitization - the form itself would reject invalid characters
Closed JoeJanickiChSh closed 2 years ago
msoucy
commented
2 years ago Sanitizing is all well and good, but if we used wtforms validators we wouldn't need as much sanitization - the form itself would reject invalid characters
JoeJanickiChSh
commented
2 years ago I'm pretty sure < and > characters are allowed in emails (in certain circumstances) and it is possible that a fully valid email address would get rejected by the validator.
msoucy
commented
2 years ago In my opinion, that falls under the situation of "play stupid games win stupid prizes" - if you're going to make a pathological email address, don't be surprised when it fails in most websites
msoucy
commented
2 years ago @JoeJanickiChSh Once #77 is merged, please rebase your changes and fix the merge conflicts.
msoucy
commented
2 years ago OBE
I'm pretty sure WTForms sanitizes inputs for SQL but does not HTML escape them. This just adds filters to the form fields that escape them to be HTML-safe and avoid XSS attacks.