On Jun 21, 2006, at 6:57 PM, Jacob Kaplan-Moss wrote: > Yes, I agree -- I've never been against a template tag which does > autoescape because that's still leaving power in the hands of the > template authors.
Then again, how often do you *want* to allow your users to put HTML and JS in and allow it to be executed? Not often, I imagine. And following that, I think Django should, of the two options, cover the majority, which I believe is "escape by default" and allow {% autoescape off %}. For the sake of security, I'm really hoping to see escaping automatically turned on. Regards, Tyson --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---