On Aug 1, 7:56 pm, "Tom Tobin" <[EMAIL PROTECTED]> wrote: > Set autoescaping on by default for anything ending in ``.html`` (and, > perhaps, ``.htm``), and off otherwise.
I've been thinking about this a bit, and it seems like it could work well if it was done the other way round - basically, autoescaping is on for everything EXCEPT templates where the template name is known / and/ it ends in .txt. I don't think this would be too hacky to implement - templates that are loaded (as opposed to constructed from a string) already know their template name as part of the template error handling code; all that would be needed would be a way to tell a newly created template to default to autoescape off, and then a bit of code in the relevant template loader to special case for template names ending in .txt. Generally I'm really glad to see that most people have come round to autoescaping being on by default now. I personally don't see it as a way of protecting newbie developers so much as it's a way of protecting all developers from one tiny mistake blowing the security of their application wide open. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
