Okay, post-Starbucks chat with my co-workers, here's my last-ditch
mitigation proposal:
Set autoescaping on by default for anything ending in ``.html`` (and,
perhaps, ``.htm``), and off otherwise.
Being (at least ideally) language-neutral has precedent in Django;
we've already moved away from assuming templates end in ``.html``, and
at least part of the reasoning there was acknowledging that the
template language is used for more than just HTML. By having
autoescape off by default for non-HTML templates, one can write
one-off plain-text email templates, server configuration files, LaTeX,
or what-have-you -- stuff that doesn't necessarily lend well to
hierarchical template extension -- without always having to drop an {%
autoescape off %} line on top.
Is this a bit magical? Yes, of course -- but certainly no more so than
having autoescaping on by default, and in fact removes a bit of magic
from non-HTML use cases.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
