On Sun, 2008-04-27 at 12:37 +0930, Darryl Ross wrote: > James Bennett wrote: > > On Sat, Apr 26, 2008 at 9:38 PM, Darryl Ross <[EMAIL PROTECTED]> wrote: > >> So my question is, is there an argument which will disable auto-escaping? > >> If not, would there be some merit to adding some functionality that allows > >> this, either as an argument or perhaps to make the auto-escaping only > >> auto-escape if the template filename ends in '.html'? > > > > No, and probably not. One of the key things about Django's > > autoescaping is that, since it applies in the template, you can look > > at the template to find out what's going on. Introducing lots of other > > places where you'd need to look, transforming it from "look at the > > template to see if the autoescape tag or the safe filter are used" to > > "look at the template, then look at this argument, then look at this > > setting, then..." would be a disaster. > > I can see your point, but I disagree for two reasons. > > The first is that to find out what template is being used, you most > likely need to look in the view for the urls file, so having an argument > there is obvious.
No, it isn't obvious. Somebody writing a template should know exactly how it is going to be parsed. That person isn't necessarily the person writing the view (code). To keep the designer/developer separation clean, we made auto-escaping controllable via the template. > The second reason is that the auto-escaping was, correct me if I'm > wrong, to help prevent cross-site vulnerabilities caused by browsers > interpreting HTML. There are other uses for the templating besides > generating content for browsers, such as sending emails and generating > other files, like CSV or XML. Which is why the autoescaping template tag exists. It enables you to disable things. You are bringing up points that were hashed out again and again on the developers list leading up to autoescaping being committed. Yes, there are differing opinions. There's no way to reach unanimous consensus here and we picked one, quite usable, method for the implementation. Malcolm -- Always try to be modest and be proud of it! http://www.pointy-stick.com/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
