Currently, on python-ideas there is a discussion going on about taint
tracking in Python. It's tracking data that come from untrusted sources and
preventing it from being used in sensitive places. This video [1] from last
year explains the problems very well.
In noticed that we can do better in Django. We already have mark_safe, but
what does such a SafeText mean? Safe as HTML, javascript, css, SQL or even
something else? We know it's usually HTML, but that's not always the case.
Some people still have javascript in their templates and they use template
tags inside their javascript. :(
Some people use the templating engine even for other stuff then generating
HTML. The point is that we can't assume that "safe" means "safe as HTML".
We have many languages in the web and HTML is just one of them.
I propose some changes that are backwards compatible for
django.utils.safestring:
We should rename SafeText to HtmlText. Further we should not expect people
to call format_html.
Instead of mark_safe, I propose that we call:
HtmlText('<p> %s </p>')
Explicitely annotating a string as HTML.
Instead of format_html, I propose that we do:
HtmlText('<p> %s </p>') % 'unsafe text'
Like django.utils.SafeText.__add__, we can implement SafeText.__mod__
I think that string interpolation feels more natural. (Or for those who
prefer .format(), we can add that method to HtmlText.)
It can also be possible to stack escaping filters in the future:
HtmlText('<script>%s</script>') % JavascriptText("function() { echo '%s';
}") % 'hello world'
(implementing JavascriptText can be hard, as escaping is different in
different parts of the code.)
Further, I would deprecate mark_for_escaping and EscapeData. [2] There
should never be a reason to call this function.
Any suggestions?
[1] http://www.youtube.com/watch?v=WmZvnKYiNlE
[2] mark_for_escaping = lambda s: str(s) # Actually: mark_for_escaping ==
str
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/8767da03-070b-4819-8d95-a7787cacd258%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
