Sometimes I have a form that is a bit complicated in logic, and needs validation beyond just type checking or regex, so I end up handling data directly from request.POST['item'], like:
datetime.strptime(request.POST['item'], FORMAT)MyModel.objects.filter(name=request.POST['item2']
As far as I know, the first example would throw an exception at worst, so no security problems, and for the second example, the Django ORM would prevent SQLi. Is that correct?
I also have regex in the URLConf, so I guess it would be safe to handle the data taken from the URL in views.py because URLConf already validated it with regex, right?