gabor wrote: > is it true, that people usually forget to escape dangerous variables? > > > a) if no (people do not forget): > means people are already using 'escape' when needed. in this case, this > block-level tag is a welcome addition, because it makes it > simpler/more-convenient to toggle escaping. > > > b) if yes (people do forget): > a block level tag will not help. people will forget to use them the same > way they forget to use the 'escape' filter. > > my guess is (b)
or c) people don't know what XSS is and are clueless about the need to escape. A good case for turning escaping on by default. What would you rather have: "Help, help! How do I turn off escaping?" or "Help, help! H4a0r s+0l3|> my Dj4|\|g0!!!!!!!!111" --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
