On 6/16/06, Christopher Lenz <[EMAIL PROTECTED]> wrote:
> To reiterate: templates shouldn't need to care about escaping. Django
> *in particular* uses an intentionally dumbed down template system
> that is supposed to be easy for non-programmers, which includes the
> notion that little mistakes in templates shouldn't break the site or
> even introduce security holes.
The problem here, architecture-wise, is that the template is the thing
that cares about what output looks like. Moving the decision of
whether to escape or not into some other part of the stack breaks with
that and introduces the possibility of frustrating inconsistency in
the templating system; explaining to a template author why {{ foo }}
escapes in one case but not another, based on (to the template author)
black magic happening in the backend isn't something I particularly
want to do.
> IMHO, a real solution for this problem is that any normal string
> inserted into template output is escaped by default. This does not
> necessarily mean that there needs to be an unescape filter, though.
Yes. Yes, it does.
> In fact, most of the time Django components that generate a string
> they *know* that they are generating text that must not be escaped,
> such as the output of the markdown filter, or form field render()
> results. Those places should flag the strings they are generating in
> some way (for example by wrapping them in a special class), thereby
> signaling to the template system that those strings should not be
> escaped again.
As someone who's followed various RSS-related discussions for a long
time, I can say that having multiple layers of a system have to worry
about whether the other layers have escaped or unescaped something is
a very special kind of hell that I don't want Django to get mired in.
But beyond that, it feels like a violation of loose coupling; doing
this would bind Django components to each other in ways that don't
feel right.
My vote is for escaping being off unless explicitly turned on, and for
it being turned on in the template.
--
"May the forces of evil become confused on the way to your house."
-- George Carlin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
