On Nov 8, 12:25 pm, "Oliver Lavery" <[EMAIL PROTECTED]> wrote:
> That's a pretty nice solution.
>
> Implicitness in this case is a desirable attribute, imho. For output
> filtering it would be nice to have HTML escaping be a sitewide default. This
> is just good security practice, deny by default, and allow by exception.
I concur. But in this case, it would be good to provide full backwards
compatibility.
My solution is as implicit as possible without being obnoxious :)
To make it site-wide, all you have to do is wrap everything with {%
finalfilter escape %} in your base.html template and all your {{
variable tags }} are protected.
On the other side of your discussion: Personally, I'm not a fan at all
of input filtering at all. As long as you trust your output methods,
you shouldn't have to worry about this. There are solutions to this
(like tidyhtml - I think?) if you need them however.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
