Simon Willison’s Weblog

Blogmarks tagged xss, templating in 2007

Filters: Type: blogmark × Year: 2007 × xss × templating ×


Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. # 14th November 2007, 5:05 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. # 15th April 2007, 8:28 pm