On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote: >* Mark Stosberg <[EMAIL PROTECTED]> [October 14 2005, 18:37]: >> I'm curious about what other people think about an option to >> turn ESCAPE=HTML on default, to protect against cross script scripting >> practices by default. >All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html" >looks very confusing. Should probably be "ESCAPE=none".
Agreed, and that's a better option - remembering that we have ESCAPE=url as a possible mode as well, and others in extension modules. default_escape_mode would make sense as a parameter name. R ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Html-template-users mailing list Html-template-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/html-template-users
