librelist archives

« back to archive

validate JSON post data

validate JSON post data

From:
Paul Korzhyk
Date:
2014-11-28 @ 04:44
I'm using Flask to process AJAX requests and almost all of my URL handlers
start like this:

def foobar():
    request_json = request.get_json()
    obj_id = request_json.get('obj_id', None)

    # check that id is a valid number and convert it
    ...
    do_stuff_that_matters(obj_id)


There are libraries that validate posted form data, libraries that validate
JSON schema, etc.

What do you guys actually use for parsing & validating data?

I need to check that submitted forms don't contain any html injections,
integer fields can be parsed, etc. Ideal lib/framework probably should not
attempt to tell me how to write my HTML & JS.

Re: [flask] validate JSON post data

From:
Artem Chekunov
Date:
2014-11-28 @ 05:20
I use the flask-restful extension for this case
http://flask-restful.readthedocs.org/en/latest/reqparse.html


On Nov 28, 2014 7:48 AM, "Paul Korzhyk" <paul.korzhyk@gmail.com> wrote:

> I'm using Flask to process AJAX requests and almost all of my URL handlers
> start like this:
>
> def foobar():
>     request_json = request.get_json()
>     obj_id = request_json.get('obj_id', None)
>
>     # check that id is a valid number and convert it
>     ...
>     do_stuff_that_matters(obj_id)
>
>
> There are libraries that validate posted form data, libraries that
> validate JSON schema, etc.
>
> What do you guys actually use for parsing & validating data?
>
> I need to check that submitted forms don't contain any html injections,
> integer fields can be parsed, etc. Ideal lib/framework probably should not
> attempt to tell me how to write my HTML & JS.
>

Re: [flask] validate JSON post data

From:
Stephen Fuhry
Date:
2014-12-01 @ 14:40
I also use flask-restful for most, if not all ajax requests. For validation
- I guess it depends on the use case. Flask-restful lets you do this:


from flask.ext.restful import Resource,  reqparse
my_parser = reqparse.RequestParser()
my_parser.add_argument('first_name', type=str, required=True)

class MyRestResource(Resource):
    def post(self):
        args = my_parser.parse_args()
        first_name = args['first_name']


The way they break out the RequestParser feels a bit awkward, and frankly
it doesn't exactly make my life a lot easier, but it at least handles
errors reasonably well, which is not something flask-restful does a great
job of helping out with.

I also use Flask-WTF for validation, although I don't usually go to all the
trouble to create a form for each REST request.

Regarding the XSS issue, personally, I don't worry much about whether
submitted forms contain malicious code. You'll either fail to protect
against all vectors by stripping stuff out, or you'll end up bastardizing
your data with unnecessary html-entities and all that garbage that can get
tricky to reverse engineer back to the original if you need to, for
instance, inject the data into a csv (which doesn't care about your
malicious XSS code, nor about html-entities). From the docs: Flask
configures Jinja2 to automatically escape all values unless explicitly told
otherwise. <http://flask.pocoo.org/docs/0.10/security/> That may not be
sufficient for every application, but for most general cases I've
considered it to be protection enough, at least in modern browsers.



On Fri, Nov 28, 2014 at 12:20 AM, Artem Chekunov <scorp.dev.null@gmail.com>
wrote:

> I use the flask-restful extension for this case
> http://flask-restful.readthedocs.org/en/latest/reqparse.html
>
>
> On Nov 28, 2014 7:48 AM, "Paul Korzhyk" <paul.korzhyk@gmail.com> wrote:
>
>> I'm using Flask to process AJAX requests and almost all of my URL
>> handlers start like this:
>>
>> def foobar():
>>     request_json = request.get_json()
>>     obj_id = request_json.get('obj_id', None)
>>
>>     # check that id is a valid number and convert it
>>     ...
>>     do_stuff_that_matters(obj_id)
>>
>>
>> There are libraries that validate posted form data, libraries that
>> validate JSON schema, etc.
>>
>> What do you guys actually use for parsing & validating data?
>>
>> I need to check that submitted forms don't contain any html injections,
>> integer fields can be parsed, etc. Ideal lib/framework probably should not
>> attempt to tell me how to write my HTML & JS.
>>
>

Re: [flask] validate JSON post data

From:
Scott Werner
Date:
2014-12-01 @ 13:44
I been using WTForms-JSON (http://wtforms-json.readthedocs.org/en/latest/).

Thanks,
Scott Werner

From: flask@librelist.com [mailto:flask@librelist.com] On Behalf Of Artem Chekunov
Sent: Friday, November 28, 2014 12:20 AM
To: flask@librelist.com
Subject: Re: [flask] validate JSON post data


I use the flask-restful extension for this case
http://flask-restful.readthedocs.org/en/latest/reqparse.html


On Nov 28, 2014 7:48 AM, "Paul Korzhyk" 
<paul.korzhyk@gmail.com<mailto:paul.korzhyk@gmail.com>> wrote:
I'm using Flask to process AJAX requests and almost all of my URL handlers
start like this:

def foobar():
    request_json = request.get_json()
    obj_id = request_json.get('obj_id', None)

    # check that id is a valid number and convert it
    ...
    do_stuff_that_matters(obj_id)


There are libraries that validate posted form data, libraries that 
validate JSON schema, etc.

What do you guys actually use for parsing & validating data?

I need to check that submitted forms don't contain any html injections, 
integer fields can be parsed, etc. Ideal lib/framework probably should not
attempt to tell me how to write my HTML & JS.

Re: [flask] validate JSON post data

From:
Piyush Katariya
Date:
2014-11-28 @ 04:58
Flask-WTF all the way.

https://flask-wtf.readthedocs.org/en/latest/

Good Luck.



On 28-Nov-2014, at 10:14 AM, Paul Korzhyk <paul.korzhyk@gmail.com> wrote:

> I'm using Flask to process AJAX requests and almost all of my URL 
handlers start like this:
> 
> def foobar():
>     request_json = request.get_json()
>     obj_id = request_json.get('obj_id', None)
> 
>     # check that id is a valid number and convert it
>     ...
>     do_stuff_that_matters(obj_id)
> 
> 
> There are libraries that validate posted form data, libraries that 
validate JSON schema, etc.
> 
> What do you guys actually use for parsing & validating data?
> 
> I need to check that submitted forms don't contain any html injections, 
integer fields can be parsed, etc. Ideal lib/framework probably should not
attempt to tell me how to write my HTML & JS.