On 7 March 2011 12:11, Wichert Akkerman <wich...@wiggy.net> wrote:
> For input possibly. I consider invalid markup as possible output to be a bug
> in the template engine.

Right. Note that any dynamically included content will undergo escaping:

If your input is valid, you know that the output is going to be valid,
as long as content is not included as "structure".

Now if your application requires the inclusion of user-submitted HTML
content or other similar content is not part of the application
distribution itself, it should be sanitized prior to usage in the
template engine (using an engine such as tidy). This is expensive and
should probably happen when that content is submitted in the first

Repoze-dev mailing list

Reply via email to