Am 03.03.2006 um 18:53 schrieb Jacob Kaplan-Moss:
> Hey folks --
>
> I've thought about this a bit more; lots of good points have been
> raised. What I'd like to do would be to add a new tag that takes
> care of auto-escaping variables used within it. Something like::
>
> {% autoescape %}
> Any {{ variables }} used within this {{ block }} will be
> automatically {{ escaped }}
> {% endautoescape %}
>
> How does that sound?
Not quite enough IMHO.
I strongly agree with some of the other posters in this thread that
any kind of output in an HTML-template should be HTML-escaped by
default. Values that contain markup that should not be escaped should
be flagged explicitly.
In Trac 0.9.3 we added exactly this kind of behavior to greatly
eliminate the risk for XSS vulnerabilities. See:
<http://projects.edgewall.com/trac/browser/trunk/trac/util.py#L56>
When the template engine sees a value that is a str/unicode, it gets
escaped. If it gets a value that's an instance of the "Markup" class,
it gets passed through as-is.
Adding such behavior to the Django template processor would be great.
It's *much* easier to forget to escape something than to forget to
flag it as not-needing-escaping.
Cheers,
Chris
--
Christopher Lenz
cmlenz at gmx.de
http://www.cmlenz.net/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
