Simon Willison wrote:
> Here's an idea I don't think anyone has brought up yet: what if
> escaping was on by default for templates ending in .html and off by
> default for templates ending in .txt?
This does seem like a practical solution. But I think that it gives
more meaning to template file names than they should have. It will make
excerpts of Django templates impossible to interpret without knowing
the name of the file. I can see the topic of the IRC channel becoming:
"please specify the filename of any template code you paste here".
Besides, it will force people to change template filenames if they
don't want auto-escaping. This can cause trouble, especially if you are
referring to your template names in other places (extends, includes and
views).
Jeremy Dunck wrote:
> Make a setting to turn define the default, and if the setting's not
> there, auto-escape.
> Anyone that doesn't want it can just turn it off by defining the setting.
>
> AUTO_ESCAPE_TEXT = _True_|False
This will couple templates to the project. This is the #1 reason why
PHP suck.
Todd O'Bryan wrote:
> {! !} seems perfect for raw, because the exclamation points emphasize
> that something bad could happen.
>
> {$ $} could be used for escaping, with the $'s designed to remind
> people of environment variables. This would be tag people are
> encouraged to use unless they need raw HTML text.
This again is putting too much emphasis on HTML as the language used in
templates. It reminds me with the special treatment Perl gives to
regular expressions.
Bill de hÓra wrote:
> Scope it per template:
>
> {% extends "base_generic.html" %}
> {% escape %}
>
> This lets people who want auto-escaping, have it, without typing in
> "|escape" everywhere or screwing things up site wide with globals.
This is nearly perfect for my taste. The only thing is to make it just
a bit more generic like this:
{% autofilter escape %}
This will specify that the escape filter will be applied automatically
to all variables. It is just as easy to use, it is not specific to HTML
and it can be used in other useful contexts, like for escaping in a
JavaScript template. It doesn't break backward's compatibility. It
doesn't force you to do anything you don't want to.
We can even provide the {! !} tags to mean "do not apply auto filter".
Then I can immagine some files starting with:
{% autofilter javascript_escape %}
Then escaping and the {! !} will work perfecly well in a JavaScript
template.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
