Hi folks --
So the benefits of automatic escaping are pretty obvious --
protection from XSS attacks -- but I'm wary of a few details in the
existing proposals.
First, escaping everything by default complete breaks every existing
template. That's not necessarily a complete deal-breaker, but I'm
pretty much -1 on the idea as it seems too radical.
I like the proposal by Simon (et al) for an {% autoescape on %} tag.
However, there are some semantics of the tag that are scary. Not
doing it as a block tag means that simply by calling the tag I've
switched the template language into a different system. That has non-
obvious implications when used with extension/inclusion. For example::
base.html:
{% autoescape on %}
{% block content %}{% endblock %}
child.html:
{% extends "base.html" %}
{% block content %}{{ var }}{% endblock %}
How does {{ var }} behave in the child template?
And for content brought in through {% include %}?
Sure, answers to these questions can be documented, but I still think
they'd be non-obvious. Because of that, I'm -0 on this concept
without further exploration.
Given that, I think the best idea is still using a block tag::
{% escape %}
{{ var }}
{% endescape %}
that just seems the most clear to me.
Jacob
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
