> As you noted, escaping by default would be fine and largely a non-argument if > Mason were explicitly a Web template language, but it's not. >
I'm confused Stephen, because this statement seems to contradict your other statement that "escaping by default never works right, because too many templates contain a mix of html, javascript, css, etc." and that this is "action at a distance" (paraphrasing). Mason is not explicitly a Web template language, but Poet *is* explicitly a web framework and reserves the right to tweak Mason settings appropriately. So it might well be reasonable to turn on HTML escaping by default for Poet. In any case, it seems like default escaping is a reasonable feature for Mason to make available sans any scary caveats. Though ideally you'd be able to turn it on/off on a component or a directory basis, or even on a partial-component basis, rather than a giant on/off switch for your whole site. If a thoughtful framework like django does this by default, then I'd say it's a pretty good bet Poet ought to as well. Jon ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users