id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
17906	'firstof' and 'cycle'  should autoescape	anonymous	Vladimir.Filonov	"'firstof' and 'cycle'  do not Autoescaping when used in a template.
My expected behavior for Django is: The results of all template tags should be escaped unless marked safe. 

Related to #10912 
In the context of #10912, the current behavior is documented. I don't think that is enough.

The current  behavior is NOT a good approach.  Instead of documenting such pitt-falls, django should be safe by default.
When I manually inspect the usage of 'firstof' and 'cycle' in several projects its almost a 100% hit with XSS vulnerable code.


Is there any reason why the current (and documented) behaviour is better than just fixing this ?


ref: http://www.pythonsecurity.org/wiki/django/"	Uncategorized	closed	Template system	1.3	Normal	fixed	sprint2013	harm.verhagen+django@…	Accepted	0	0	0	0	0	0