> Yes, Django should be accessible to newbies, but newbie-friendliness > needs to be balanced against the needs of experienced web developers > (who likely already know all about XSS).
To exume an old horse and continue beating it, experienced web developers may know all about XSS, but they will *still make mistakes*. http://code.djangoproject.com/ticket/2290 is yet another example of unescaped strings slipping past "experienced web developers". Ok, ignore that vent. Now I'll try and be more constructive. The following proposal assumes that we want template level auto-escaping functionality and will provide it using the escaped/non-escaped string idea from http://code.djangoproject.com/wiki/AutoEscaping. My proposal is that we don't use a {% autoescape on/off %} block tag or a new |raw filter in the template source at all, but rather always use the view to set it the auto-escaping status. The developer wanting to use autoescaping can simply mark any variables which should be raw using markescaped() in the view. Rather than hard coding the escape method into VariableNode.render(), the additional methods would be changed: - django.template, Template.render(..., escaper=None) - django.template.loader, render_to_string(..., escaper=None) and the VariableNode.render() would pass the string through the escaper (if one is given). It is reasonably straight forward to identify the filters which do their own escaping. Like the wiki article says, they can simply be flagged with markescaped() in the filters. Since it's done explicitly in the view, hopefully this helps to appease Adrian's fears of escape munging being too hidden / magical. So nothing up to this stage even breaks backwards compatibility. A further step (an implementation of the on-by-default idea) would be to set the default to render_to_string(..., escaper=True) but raise an exception unless escaper resolves to False or is a subclass of Escaper. This would break backwards compatibility, but becomes even more explicit, which I hear is a good thing ;) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
