> > I've thought about this a bit more; lots of good points have been
> > raised. What I'd like to do would be to add a new tag that takes
> > care of auto-escaping variables used within it. Something like::
> >
> > {% autoescape %}
> > Any {{ variables }} used within this {{ block }} will be
> > automatically {{ escaped }}
> > {% endautoescape %}
> >
> > How does that sound?
>
> Not quite enough IMHO.
>
> I strongly agree with some of the other posters in this thread that
> any kind of output in an HTML-template should be HTML-escaped by
> default. Values that contain markup that should not be escaped should
> be flagged explicitly.
>
> In Trac 0.9.3 we added exactly this kind of behavior to greatly
> eliminate the risk for XSS vulnerabilities. See:
>
> <http://projects.edgewall.com/trac/browser/trunk/trac/util.py#L56>
>
> When the template engine sees a value that is a str/unicode, it gets
> escaped. If it gets a value that's an instance of the "Markup" class,
> it gets passed through as-is.
>
> Adding such behavior to the Django template processor would be great.
> It's *much* easier to forget to escape something than to forget to
> flag it as not-needing-escaping.
Sorry for being late to the discussion. Just wanted to give a +1 on
having the possibility to escape (or not escape) whole blocks and a +0
on escaping everything per default. Is there already an open ticket on
this?
Arthur
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
