= Auto-Escaping Proposals = This is a list of the various Autoescaping proposals to protect against Cross-Site Scripting. See [wiki:AutoEscaping], [http://groups.google.com/group/django-developers/browse_thread/thread/206b0ba41c2229b7 django-dev] for discussion. If you want to vote for one of these alternatives, please choose the one that you would prefer and place your name after the '''Votes''' part. == 1: Nothing == Let the developer deal with it. '''Pros''': * Backwards Compatible * "Pure", * Already implemented. yay! '''Cons''': * Prone to XSS, '''Votes''': == 2: A context Autoescape Toggle == "adding a new property to the Context class, called autoescape. This defaults to being set to True, but can be toggled either in view functions or by {% autoescape off %} blocks in templates. The VariableNode render() method then uses this context flag to decide if escaping should be performed or not". See [wiki:AutoEscaping] '''Pros''': * Safe * Easy for template author to toggle. '''Cons''': * will require some way of marking strings in Django as "escaped" * will need lots of rewriting of existing templates * Backwards Incompatible '''Votes''': == 3: Add a "finalfilter" == Provide a {% finalfilter %} block tag to automatically add filters (for html escaping, |escape) to any variable tag defined within the block. See [http://code.djangoproject.com/wiki/AutoEscape%20alternative AutoEscape alternative] '''Pros''': * Safe * Easy for template author to use. * Backwards Compatible * Allows use of other escapers as a finalfilter so not just HTML '''Cons''': * What would be the default status? '''Votes''': Simon G.