the problem is that there are multiple types of escaping. sql? html?
javascript? new-web-tech-of-the-day? do you escape them all, or just some?
personally, i don't like my framework to auto-munge my data behind my
back. esp. in ways that are not clearly defined and could change on a
whim. too many potential secondary effects. plus it stinks to me of a
false sense of security while implicitly OKing people to ignore security.
but if it is going to be done, i'd suggest a flag on the field in the
model. ("automunge-html":="true"?) with perhaps a model default.
SmileyChris wrote:
> Here's how I see it:
> - 99% of the time, templates are HTML
> - most template variables should be escaped
> - developers are human and will miss variables that need escaping
>
> My proposal is that all templates variables are escaped by default.
>
>
> Think about it for a bit before you throw the idea away. Then reply
> with your thoughts.
>
>
> Of course we need an easy method to NOT auto-escape variables. Perhaps
> something like {{{{ raw_variable }}}}?
>
> There is also the issue of MASSIVE backwards incompatibility. The two
> options I see ane:
> 1. A new variable type is created for auto-escaping instead
> 2. Provide a setting which turns this new functionality on but is off
> by default
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
