On 14 Jun 2006, at 00:07, Rudolph wrote:
> I like your idea of explicitly turning it on or off globally in the
> settings. In addition to that idea I would suggest an option to set
> the
> behaviour for a whole Template, something like:
>
> tmpl = loader.get_template('example.csv')
> tmpl.auto_escape = False
> tmpl.render(context)
I'm not keen on either of those options. The template file itself is
the place where the assumption of escaping v.s. not-escaping matters.
Example: I write a template that expects auto escaping to be on:
<p>Hello, {{ name_from_form }}</p>
My assumption that escaping is turned on is built in to the template
file itself. If I hand it off to a friend and they deploy it
somewhere without realising that their settings file should have
AUTO_ESCAPE=True, they have an XSS hole. Alternatively, if they load
my template and set tmpl.auto_escape=False they have a hole as well.
Further more, setting auto escaping globally destroys all chances of
code reusability. What if I download a forum application from
somewhere and a poll application from somewhere else, and one of them
expects the global AUTO_ESCAPE option to be true while the other
expects it to be false? This is /exactly/ what happened with the
whole magic quotes thing in PHP and it made writing reusable PHP
components virtually impossible.
In my opinion, there are three viable solutions:
1. auto_escape is on for ALL Django templates ALL the time. It may
well be too late to do this due to backwards compatibility concerns.
2. auto_escape is controlled in the Django template file itself. The
above example might become something like this:
{% auto_escape_on %} <!-- global setting for this template -->
<p>Hello, {{ name_from_form }}</p>
Or maybe a block-style template tag:
{% autoescape %}
<p>Hello, {{ name_from_form }}</p>
{% endautoescape %}
While the second seems to fit better with previous template tags, I
actually prefer the first. It reminds me of Python's method for
stating that a .py source code is written in UTF-8:
# -*- coding: utf-8 -*-
3. Auto escape based on the file extension for the template -
"frontpage.html" gets auto escaped, "welcome_email.txt" doesn't. I'm
not sure how I feel about this option.
The ideal situation would be for auto_escape to be on by default, and
let templates turn it off if they need to. This has serious backwards
compatibility issues however.
Naturually, an "unescape" filter should be included so that even when
auto escaping is on you can still undo it on a per-variable basis if
you need to.
Cheers,
Simon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
