On Fri, 2006-08-04 at 10:09 -0700, Ahmad Alhashemi wrote:
[...]
> The problem here is that the base and extending templates are not
> always managed by the same person.
>
> Consider the case of the admin templates for example. Sometimes you
> just want to create your own base template to change t
> Regarding doing a "security audit", assuming you had some method of
> defining the default escaping (if any) it would seem easier and safer
> to audit if you were looking for cases where you didn't need to escape
> (the more rare case). But this is getting back to the main auto-escape
> discussi
James Bennett wrote:
> The view decides which template to use, and what variables will be
> made available to the template, but that's not really the same thing;
> the question here is "which layer of Django decides what the actual
> output bits will be that go over the wire?" And the answer is m
On 7/30/06, SmileyChris <[EMAIL PROTECTED]> wrote:
> 1. Technically, the view decides how a template is going to be
> displayed, not the template itself. Could the view, therefore, be the
> best place for escaping to happen?
The view decides which template to use, and what variables will be
made
I think that this is prone to error. At least for me, when I see a
piece of code like this one, I will definitly think that it needs to be
escaped:
{{ content }}
But if I'm passing something in the view code without escaping, I will
have to check the template to make sure it is being handled pro
I have been thinking about where escaping belongs recently and maybe my
logic is all wrong but I'll write down some of my thoughts.
This is a related thread to the ones about auto-escaping but I have a
specific discussion I wish to persue. And it's not really limited to
"auto&qu
