Adrian Holovaty wrote: > On 6/20/06, Michael Radziej <[EMAIL PROTECTED]> wrote: >> <sarcasm> >> You're against automatically quoting your data in the database driver? >> Let's rip it out, bad magic that munges your data behind your back. >> </sarcasm> > > I figured somebody might bring up this example, but it isn't quite > analogous. With a database query, you don't really care what the > textual output (SQL) is. With a template, you do.
Really? * I do depend on that the database get's the right data and not a ' or a ` too much. Same for escaping. * And I don't care whether the programmer has hand-escaped a string or it has happend during template rendering. Same for the database quotes. And furthermore: * It's a lot more important that my site does not have XSS exploits which I usually don't find, compared to whether here and there I get a multiple times escaped strings, which I usually spot during testing. Perhaps I'm obsessed about security, but why shouldn't I? And: same for the database quotes. I'm really curious where this dislike for auto-escaping comes from. Does it come from php? I'd like to follow you or convince you, but I cannot as long as I don't understand what your reason or experience with this is. Let me add that I share Simon's opinion that this needs to get tried out to see how it feels in practice. Michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---