On Jan 13, 10:23 pm, Malcolm Tredinnick <[EMAIL PROTECTED]>
wrote:
> I think
> Chris's idea misses a bunch of the subtleties (and that isn't a
> criticism of him writing the proposal, since he has laid out his point
> of view clearly and offered a solution without any fuss, rather than
> continual
On Sat, 2007-01-13 at 06:29 +, Brian Beck wrote:
> Jeremy Bowers wrote:
> > I've also discovered that even relatively skilled developers can have a
> > lot of trouble catching every case that needs to be escaped, whereas
> > almost any developer can correctly determine when *not* to escape
> >
On Fri, 2007-01-12 at 23:28 -0800, Nicola Larosa (tekNico) wrote:
> On 13 Gen, 06:02, "SmileyChris" <[EMAIL PROTECTED]> wrote:
> > We need to come to a consensus on Django autoescaping
>
> There's an interesting discussion on GvR's blog, with several mentions
> of escaping:
>
> http://www.artima
On 13 Gen, 06:02, "SmileyChris" <[EMAIL PROTECTED]> wrote:
> We need to come to a consensus on Django autoescaping
There's an interesting discussion on GvR's blog, with several mentions
of escaping:
http://www.artima.com/forums/threaded.jsp?forum=106&thread=146606
Speaking of Django 1.0, it als
Brian Beck wrote:
> +1 on a noescape "filter" (I'm not too familiar with the template code
> but it seems like it would have to be a special case rather than a real
> filter). The reason given above sounds right to me: people know when
> they don't want something to be escaped.
Although, this doe
Jeremy Bowers wrote:
> I've also discovered that even relatively skilled developers can have a
> lot of trouble catching every case that needs to be escaped, whereas
> almost any developer can correctly determine when *not* to escape
> something. The "it didn't work, I'll do X" algorithm that is s
SmileyChris wrote:
> Rather than clog up the main "1.0" discussion, let's move this to a
> side discussion.
>
I can add some personal experience to this.
At work, we use Apache::ASP (perl-based), which uses <%= $value %> to
dump out a string directly into the HTML. After one too many XSS bugs
Rather than clog up the main "1.0" discussion, let's move this to a
side discussion.
We need to come to a consensus on Django autoescaping - I'll put in my
2c for my alternative
(http://code.djangoproject.com/wiki/AutoEscape%20alternative) of
course, but whichever direction we go, it'd be good to
