On 20 Jun 2006, at 15:11, Michael Radziej wrote:
> But, looking at the recent bugs in the Admin: > > 2006, __str__() output not escaped in breadcrumbs and filters > 2152, username was not escaped > > Perhaps neither of this would be fixed with auto-escaping. But I > want to > emphasize that bugs like this happen all the time, are hard to spot > and > are inherently dangerous. If you escape too much, you'll spot it > easily, > and not much harm has been done. This is exactly why I'm for auto escaping - these bugs sneak in all over the place; they aren't something that only affects careless or newbie developers. I bet there's a bunch hiding in the current Django source code. If we did have it as an opt-in thing rather than being turned on by default we'd also have to include a bunch of stuff in the docs saying "we really, really strongly suggest that you opt-in to this". I'm actually on the fence as to having it on by default - my gut feeling is that it's a good idea, since every framework ever that hasn't done it has been plagued by XSS problems. That said, I don't think we can get a really good feel for how it works in practise until we can actually play with working code - which is why I want to build it in a branch (until we're sure that it works nicely it definitely shouldn't be inflicted on people following trunk). Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
