Jacob Kaplan-Moss wrote:
> Hi folks --
>
> So the benefits of automatic escaping are pretty obvious --
> protection from XSS attacks -- but I'm wary of a few details in the
> existing proposals.
>
> <snip/>
i completely agree that before doing such a global change, all
consequences will have to be examined/specified.
>
> Given that, I think the best idea is still using a block tag::
>
> {% escape %}
> {{ var }}
> {% endescape %}
>
> that just seems the most clear to me.
maybe we could try to answer a question:
is it true, that people usually forget to escape dangerous variables?
a) if no (people do not forget):
means people are already using 'escape' when needed. in this case, this
block-level tag is a welcome addition, because it makes it
simpler/more-convenient to toggle escaping.
b) if yes (people do forget):
a block level tag will not help. people will forget to use them the same
way they forget to use the 'escape' filter.
my guess is (b)
gabor
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
