Jacob Kaplan-Moss wrote: > On 1/12/07 6:02 PM, Malcolm Tredinnick wrote: > >> * Autoescaping: I think this needs to stay on the radar at least. We >> came dangerously close to a consensus on this (both in discussions on >> this list, based on Simon's proposal) and the discussions you, I and >> Adrian had at OSCON. >> > > Ah, yes :) > > I think I'm really the only one who's still holding out for manual escaping, > so in the interests of Getting Things Done I'm gonna shut up about it. Is > there anyone besides me who *doesn't* want auto escaping (in some form) in > Django? If so, let's hear it now. > > I would prefer that auto-escaping didn't make it into Django. It may be an overly utopian ideal, but I think security issues, including escaping, should be a conscious effort involving research and understanding of the situation. Without that, it's like blindly adding bandaids to your application hoping they'll keep the holes closed.
Besides, auto-escaping reminds me of PHP's "magic quotes" and we all know how well that turned out... :) Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---