On Tue, Apr 17, Tom Tobin wrote: > I think you misunderstood me; I'm not saying there should be a > general-output escaping framework. I'm saying that if there *is* an > HTML escaping framework, the object/variable naming should make it > clear that we're dealing with HTML-specific escaping where such code > comes into contact with the general templating system. Setting > "is_safe" on a filter doesn't tell me a thing about what it's "safe" > from; setting "is_html_safe" *does* give me an idea about what's going > on.
Ah, you're right. Now, honestly, I am not a huge fan of the current names, but I don't consider very important, and I don't have good names either. I trust Malcolm to choose what he finds best ;-) > > Maybe in your case "knowing your code" is fine, but even within django > > missing escapes have shown up as bugs in the past. This is the number one > > reason of cross site scripting holes. > > I don't think this line of argument is ever going to reach resolution > between the pro and con camps regarding auto-escaping, so I'm not > really trying to argue that point here (my strongly-held views > notwithstanding). I'm trying to make sure that whatever auto-escaping > implementation *does* get accepted is tolerable. :-) Fine! Apologies for this misunderstanding. Michael -- noris network AG - Deutschherrnstraße 15-19 - D-90429 Nürnberg - Tel +49-911-9352-0 - Fax +49-911-9352-100 http://www.noris.de - The IT-Outsourcing Company Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Hansjochen Klenk - Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
