Jacob Kaplan-Moss wrote: > On Mar 2, 2006, at 3:16 PM, Michael Radziej wrote: >> Now, did I miss something and is this already fixed? Should this be >> treated differently? How do other people handle this? > > The problem in the admin was fixed in [1982]: http:// > code.djangoproject.com/changeset/1982; in your own templates you'll > want to use the "escape" filter (http://www.djangoproject.com/ > documentation/templates/#escape) on any potentially dangerous entries. > > Why not do it for all variables? At times you want to pass chunks of > HTML into a template that get displayed raw. I don't think the > behavior you suggest should be default,
maybe a stupid question, but why not? for me it seems that most of time it's fine to escape the text, so for me it would make sense to have it on by default...and for the cases when i wan to enter raw data into the page template, we could have an 'unescape' filter..we could call it 'raw' for example.. what do you think? gabor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
