Simon Willison’s Weblog


4 items tagged “autoescaping”


Django 1.0 alpha release notes. The big features are newforms-admin, unicode everywhere, the queryset-refactor ORM improvements and auto-escaping in templates. # 22nd July 2008, 6:04 am

Jinja2 Final aka Jinjavitus Released. The Jinja template engine now has auto-escaping as an optional feature, disabled by default. Worth considering as an almost drop-in replacement for Django’s template language if features such as macros and compilation to Python code appeal to you. # 19th July 2008, 11:52 pm


Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. # 14th November 2007, 5:05 pm