Wednesday, August 31, 2011

Security implications of using the form.fields dictionary directly

Hi all,

In relation to my previous post (unanswered,
I would like to ask about the security implications of doing the

What I would like to have in the template is:
{{ form.tueren.A}}
{{ form.tueren.B }},

If I inherit from form.Field and create a tueren FormField with
attributes A,B, etc. I have a direct access to it via
form.fields['tueren'], so
I can write in the template:
{{ form.fields.tueren.A}}
{{ form.fields.tueren.B }}

However, this effectively circumvents the default mechanism of
instantiating a BoundField that restricts the use of the Field in
certain ways, so I was wondering what kind of security repercussions
this might have?

Best regards,
Venelin Petkov

You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment