Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default.
Sign in with 
OpenID
Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default.
Genius. The only other system I've seen that can get close to that is HTML::Mason… This is something I've been ranting about for years. If you're generating HTML and it's not being escaped, your tools are broken. Period.
Dominic Mitchell - 14th November 2007 20:51 - #
I remember a chat I had with Michael Radziej on EuroPython this year. He was really upset such obvious thing takes so long to be included in codebase. Now he's satisfied, I think. ;)
Cool!
While adapting my project, I noticed only one little glitch, and then I saw that you already fixed it in r6673! Wow, that was fast!
Martina - 14th November 2007 21:42 - #
Good job on getting this into Django; while I can't honestly say the lack of this feature has kept me away from Django, it would have, had I been seriously looking at it.
The tools I do use have had this for a long time. Quixote gained this ability in the fall of 2002; PyCon 2003 featured a discussion.
http://mikewatkins.ca/2007/11/14/django-auto-escap e/
In 2005 QP, a close cousin to Quixote but with more opinions, was released along with a decoupled templating/(sane) safe-quoting mechanism in QPY that was also fully unicode aware.
I believe QPY was decoupled so that it could be used more easily by any web-oriented project, templating system, or framework.
Michael Watkins - 14th November 2007 23:47 - #
Cool. Zope has had this since 2000, when the original risk of cross-side scripting became widely known.
Martijn Faassen - 15th November 2007 13:15 - #
Mmm, auto-escape gives me a warm fuzzy feeling...