Closed colinsullivan closed 13 years ago
Unlikely that it makes SQL injection possible, as it's quite likely that User.objects.create_user uses proper substitution to construct the insertion. However, XSS or something like that... quite a bit more likely.
Did I say likely enough?
Will fix this along with the addition of recaptcha (general cleanup of login/registration)
Could extend the django.contrib.auth forms and add some of this:
Closed!
https://github.com/NateStedman/Observatory/blob/1b0f36aafc0af5f6ec4f7df968cf7934159f077e/observatory/dashboard/users.py#L35
Using those POST variables directly makes SQL injection possible I believe. Should have a django form and use the cleaned_data member.
Can use stuff from django.contrib.auth.forms: http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py