Jacob Kaplan-Moss wrote: > The problem in the admin was fixed in [1982]: http:// > code.djangoproject.com/changeset/1982;
thanks (and sorry--I'll start using the svn then) > in your own templates you'll > want to use the "escape" filter (http://www.djangoproject.com/ > documentation/templates/#escape) on any potentially dangerous entries. > > Why not do it for all variables? At times you want to pass chunks of > HTML into a template that get displayed raw. I don't think the > behavior you suggest should be default, but do you have any ideas on > how to make it optional? It certainly could be useful in certain > cases. Thanks for your input! The problem I see is that it's potentially dangerous to use the non- escaped strings, and I'd prefer to have the safe thing as default (and, isn't it the most common case?) My idea to make it optional is included (exerimental!) in the attachment to my original mail. In summary: - provide an additional template class (I called it HTMLTemplate, but I'm not sure if this is a good name), together with loader support. - there's also a subclass of unicode, currently called HTMLEscapedString. If you have something that is already in html format and should not be escaped, use this class. - the template (or rather the associated HTMLVariableNode) will apply the template filter if the context entry is not already an instance of HTMLEscapedString I'd like to see some comments from more seasoned django developers and whether you feel this is the wrong way or if you are interested in this some way or the other. Michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
