On Jun 21, 2006, at 6:57 PM, Jacob Kaplan-Moss wrote:
> Yes, I agree -- I've never been against a template tag which does
> autoescape because that's still leaving power in the hands of the
> template authors.
Then again, how often do you *want* to allow your users to put HTML
and JS in and allow it to be executed? Not often, I imagine. And
following that, I think Django should, of the two options, cover the
majority, which I believe is "escape by default" and allow {%
autoescape off %}. For the sake of security, I'm really hoping to see
escaping automatically turned on.
Regards,
Tyson
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
