If/when we ever do finally sit down and implement an auto-escaping proposal, I'd like to suggest we also just go ahead and turn on the CSRF middleware by default, because apparently the fact that it isn't enabled by default is leading people to scream about security vulnerabilities in Django[1], which in turn causes package maintainers to email me because the existence of a CVE makes it appear that there's an actual problem here (as opposed to the actual report[2] which concludes that users should enable the CSRF middleware, and whose author -- I thought -- concluded that there was no problem after being pointed in the direction of that middleware).
[1] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5828 [2] http://www.securityfocus.com/archive/1/482983/100/0/threaded -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
