James Bennett wrote:
> The view decides which template to use, and what variables will be
> made available to the template, but that's not really the same thing;
> the question here is "which layer of Django decides what the actual
> output bits will be that go over the wire?" And the answer is mostly
> the template, because that's where the output is structured and
> coddled and worked into whatever form is desired.
Thanks for the replies to my questions, James. That clears a lot up in
my head - obviously I was looking at the order of things a bit skewed.
> What happens when someone uses a simple template tag to add variables
> to the context that weren't supplied by the view? If nothing else,
> that seems to be the death knell for escaping controls in the view,
> because then we'd have to go down a DRY-violating road of "remember to
> turn on escaping in your view *and* remember to turn on escaping in
> your template tags".
I see your point with this breaking DRY.
So if DRY *is* a major priority then say I am writing an project that I
know will be outputting to HTML 99% of the time. Having to turn on
escaping on every template (or worse, every tag!) seems quite a
"repetitious" task.
I guess then it becomes an argument between DRY vs Explicitness. So is
explicit > DRY?
> No. Again, the template is what decides how the output will actually
> look
My only disagreement with this is that you may be using a template
block in several contexts with an {% include %}
Ahmad, thanks for your input too. I see that it's probably best to
leave this in the hands of the template itself.
Regarding doing a "security audit", assuming you had some method of
defining the default escaping (if any) it would seem easier and safer
to audit if you were looking for cases where you didn't need to escape
(the more rare case). But this is getting back to the main auto-escape
discussion.
Coming back to my DRY vs explit thoughts. Maybe it's still too
implicit, but I would be happy if you could just specify your {% escape
html %} block (in whatever format it ends up in) in your base template
as opposed to doing it in every single template.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
