On 6/21/06, oefe <[EMAIL PROTECTED]> wrote:
>
> Agreed.
> To prevent XSS vulnerabilities because someone forgot to specify the
> escaping rule, I would suggest that templates should, maybe even must
> specify their escaping. For example, require each template to contain a
> special {% autoescape <format> %} tag at the beginning, e.g. {%
> autoescape html %}. If the designer doesn't want any auto-escaping, she
> should say so: {% autoescape off %} (or plaintext, if you prefer).Oh ye gods, please no. :-) This is exactly what James was referring to as "security by annoyance"; forcing me to place a boilerplate like that at the top of every template is going to get frustrating, fast. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
