On 13 Gen, 06:02, "SmileyChris" <[EMAIL PROTECTED]> wrote:
> We need to come to a consensus on Django autoescaping
There's an interesting discussion on GvR's blog, with several mentions
of escaping:
http://www.artima.com/forums/threaded.jsp?forum=106=146606
Speaking of Django 1.0, it also
Brian Beck wrote:
> +1 on a noescape "filter" (I'm not too familiar with the template code
> but it seems like it would have to be a special case rather than a real
> filter). The reason given above sounds right to me: people know when
> they don't want something to be escaped.
Although, this
Jeremy Bowers wrote:
> I've also discovered that even relatively skilled developers can have a
> lot of trouble catching every case that needs to be escaped, whereas
> almost any developer can correctly determine when *not* to escape
> something. The "it didn't work, I'll do X" algorithm that is
SmileyChris wrote:
> Rather than clog up the main "1.0" discussion, let's move this to a
> side discussion.
>
I can add some personal experience to this.
At work, we use Apache::ASP (perl-based), which uses <%= $value %> to
dump out a string directly into the HTML. After one too many XSS
Okay, I've been working with django for a little while, and I thought
I'd share my experience and point out some things that bugged/confused
me at first. Looking at settings.py:
MEDIA_* is poorly named since they overload the meaning of 'media'
which otherwise relates back to the static
Rather than clog up the main "1.0" discussion, let's move this to a
side discussion.
We need to come to a consensus on Django autoescaping - I'll put in my
2c for my alternative
(http://code.djangoproject.com/wiki/AutoEscape%20alternative) of
course, but whichever direction we go, it'd be good
On 1/12/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
> Yeah, as I think about it, I think docs are important enough they need their
> own "leader" as well. That person could additionally take control of the
> documentation index -- which is getting a bit difficult to use -- and the FAQ.
On 1/12/07, Chris Nelson <[EMAIL PROTECTED]> wrote:
> I would prefer that auto-escaping didn't make it into Django. It may be
> an overly utopian ideal, but I think
> security issues, including escaping, should be a conscious effort
> involving research and understanding of the
> situation.
Jacob Kaplan-Moss wrote:
> On 1/12/07 6:02 PM, Malcolm Tredinnick wrote:
>
>> * Autoescaping: I think this needs to stay on the radar at least. We
>> came dangerously close to a consensus on this (both in discussions on
>> this list, based on Simon's proposal) and the discussions you, I and
>>
On 1/12/07 6:55 PM, Jeremy Bowers wrote:
> What about things that don't match any of those things? Should misc.
> patches be discussed before or after .96?
Well, you'll need to be a bit more specific about what "things" you're talking
about. I think, though, that there are three possibilities
Jacob Kaplan-Moss wrote:
> I'd like to appoint a "leader" for each "topic" (unstable API and must-have).
> This person will have checkin access to their area of interest so they'll
> need to be someone who's already got checkin or someone who's skilled enough
> to deserve it. This person
Jacob Kaplan-Moss schrieb:
> On 1/12/07 6:40 PM, Michael Radziej wrote:
>> Adrian said that he wanted to make inline collections easier. I
>> thought that this is a real big thing, and will completely redefine
>> how the admin implements inline editing. And probably deeper. (Just
>> had a look at
Howdy folks --
A quick reminder: Monday 1/15 is the last day for early-bird registration for
PyCon (you'll save $65).
I'm told that my Django tutorials are nearing capacity, so if you're
interested in either of them, you should likely sign up sooner rather than
later.
See you in Dallas!
On 1/12/07 6:40 PM, Michael Radziej wrote:
> Adrian said that he wanted to make inline collections easier. I
> thought that this is a real big thing, and will completely redefine
> how the admin implements inline editing. And probably deeper. (Just
> had a look at AutomaticManipulator.save ...
Jacob Kaplan-Moss schrieb:
> * Forms: the newforms library is coming along nicely. There's some work that
> remains, the bulk of which lies in converting the admin to use newforms
> instead of manipulators. At that point, the transition can really be called
> complete.
Adrian said that he
On 1/12/07 6:02 PM, Malcolm Tredinnick wrote:
> So I've been absent for a couple of months now with work and life
> commitments, but things are getting back on track (woo-hoo -- once again
> I will soon have no life.. hmm...wait a minute...). From the beginning
> of February (around Feb 5), I
On 1/12/07 5:59 PM, inflector wrote:
> As a noob I think you would be making a mistake without a simple Django
> installer for Windows, one that installs everything needed along with a
> non-trivial sample application that people can explore.
Good point. Eugene sent me a windows installer a
On 1/12/07 5:35 PM, David Zhou wrote:
> How about the docs on the Django site and the Django book site?
First, please consider the book somewhat separate from Django itself. Though
Adrian and I are the authors, and though we're involving the community as much
as possible, the release
On Jan 12, 2007, at 4:06 PM, Don Arbow wrote:
> Wasn't this dependent on query refactoring that Malcolm was working
> on?
>
Doh, I send my post and Malcolm's response arrives at the same time...
Don
--~--~-~--~~~---~--~~
You received this message because
On Jan 12, 2007, at 3:28 PM, John Sutherland wrote:
>
> On 12 Jan 2007, at 22:39, Jacob Kaplan-Moss wrote:
>> There's a few other things that aren't "unstable" per-se, but are
>> must-haves
>> for 1.0. I know everyone's gonna have their own list -- and one of
>> the
>> purposes of this thread is
On Fri, 2007-01-12 at 16:39 -0600, Jacob Kaplan-Moss wrote:
> Howdy folks --
>
> I think it's time to start a push towards releasing Django 1.0. What follows
> are my thoughts about how I'd like this process to work.
So I've been absent for a couple of months now with work and life
> == Other must-haves ==
>
> There's a few other things that aren't "unstable" per-se, but are must-haves
> for 1.0. I know everyone's gonna have their own list
As a noob I think you would be making a mistake without a simple Django
installer for Windows, one that installs everything needed
On Jan 12, 2007, at 5:39 PM, Jacob Kaplan-Moss wrote:
> == Feedback ==
>
> Well, have at it :)
How about the docs on the Django site and the Django book site?
Newforms, for example, is still fairly under documented, though
quickly improving. 1.0 is a big psychological milestone, and will
On 12 Jan 2007, at 22:39, Jacob Kaplan-Moss wrote:
> There's a few other things that aren't "unstable" per-se, but are
> must-haves
> for 1.0. I know everyone's gonna have their own list -- and one of
> the
> purposes of this thread is to find that list -- but I'd like to
> keep these
>
Howdy folks --
I think it's time to start a push towards releasing Django 1.0. What follows
are my thoughts about how I'd like this process to work.
== What does 1.0 mean for Django? ==
There's a lot of different things that "1.0" can mean. In many cases the
label refers to some arbitrary
On 1/12/07 1:28 AM, Xian wrote:
> It's my first patch. So I'd like people to take a look to make sure my
> bits a kosher.
> It's also an enhancement, not a bug fix, so please let me know if the
> implementation is up to par.
It looks quite good, and it fixes something that's bugged me for a
On 1/12/07, Gulopine <[EMAIL PROTECTED]> wrote:
...
> I should note, however, that security extends only so far as preventing
> a user from tampering with the cookie. If the cookie itself is
> compromised and removed from the computer by an attacker, it would
> presumably still be considered
> Can you explain the reasons why one would want to use signed cookies?
> What (presumably security) issues are they intended to overcome?
Yes, the main concept here is security. Since the signature is based on
name and value of the cookie as well as the project's SECRET_KEY, a
change to any one
http://code.djangoproject.com/ticket/3287
The ticket explains what's going on and shows use case/code examples.
There is a patch for making the change and another that updates the
relevant documentation.
It's my first patch. So I'd like people to take a look to make sure my
bits a kosher.
It's
I had the following problems with the default json encoder that is
suggested to use:
* cant handle Decimal
* ignores properties that are not fields, it only encodes the fields
(but i often add more properties to the object for passing to the
template)
* has problems with some m2m relations (at
>From time to time I receive the error like this:
Mod_python error: "PythonHandler django.core.handlers.modpython"
Traceback (most recent call last):
File "C:\PYTHON23\Lib\site-packages\mod_python\apache.py", line 299,
in HandlerDispatch
result =
Gulopine wrote:
> I've taken the liberty of writing up a contrib middleware to
> transparently implement signed cookies in a Django app. It autmatically
> signs and validates all cookies on its own, without any other code
> needing to know a thing about it.
Can you explain the reasons why one
This seems a long way to go for the want of removing a few
forward-slashes.
XHTML has become the defacto standard for Django, which is great, but
the vast majority of pages are still HTML 4. So if there's to be one
standard it should be that.
2006/12/22, juampa <[EMAIL PROTECTED]>:
>
> Hello all:
>
> I am trying to gather all the information I can about implementing web
> services with Django (XML-RPC, SOAP, REST). Can you suggest good
> sources of information/examples of implementations? What is the offical
> status of WS support in
34 matches
Mail list logo