Hi Chris, On Wed, Apr 18, SmileyChris wrote:
> > On Apr 18, 3:48 pm, Malcolm Tredinnick <[EMAIL PROTECTED]> > wrote: > > In the past threads, we basically had consensus anyway, I'm not sure > > that revisiting everything again is worth the hassle. > > Without trying to rock the boat... reading back, I'm not sure there > was a resounding consensus. > > I actually like Malcom's proposal. Can't say I'd be thrilled if it was > on by default though. > > I don't want to push my alternative that hard, because it's easy > enough to use without it being in core (slightly related: I still > would have liked to see escaping work recursively for lists - > http://code.djangoproject.com/ticket/2862) To round up my opinion about this: Chris's alternative is too simplistic. For me, Malcolm's approach solves two key issues: - It makes "escaping" the rule and not-escaping the exception. If you err on the wrong side and get double escaping, this isn't nice, but it's harmless. If you err and skip escaping, you get a possible XSS attack. Chris's approach cannot do this to the same degree since you'll usually get plenty of exceptions as soon as you use template filters that return html code (e.g., for rendering special variables). - It moves the responsiblity for escaping from the template to the context. The template writer shouldn't need to know whether the context variables are already escaped or not. Worse, this could change over time. Finally, the programmer should know what has already been escaped and what hasn't, because he's the one who does it. I can honestly from say from own experience that Chris's approach wouldn't work for me, while Malcom's does. So long, Michael -- noris network AG - Deutschherrnstraße 15-19 - D-90429 Nürnberg - Tel +49-911-9352-0 - Fax +49-911-9352-100 http://www.noris.de - The IT-Outsourcing Company Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Hansjochen Klenk - Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
