Jacob Kaplan-Moss wrote: > Why not do it for all variables? At times you want to pass chunks of > HTML into a template that get displayed raw. I don't think the > behavior you suggest should be default, but do you have any ideas on > how to make it optional?
the standard solution is to use a wrapper for strings that you *don't* want escaped. see e.g. the section on "HTML templates" on this page: http://www.mems-exchange.org/software/quixote/Quixote-2.2.tar.gz/Quixote-2.2/doc/PTL.html and the h8 class in Qpy: http://www.mems-exchange.org/software/qpy/qpy-1.2.tar.gz/qpy-1.2/README.txt for some bullet-point background, see this presentation: Eliminating XSS Holes Eliminating XSS Holes http://arctrix.com/nas/talks/htmltext.pdf (fwiw, I'm +0 on adding this to Django's template system.) </F> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
