Code

Changes between Version 56 and Version 57 of VersionOneFeatures


Ignore:
Timestamp:
01/16/07 00:27:52 (7 years ago)
Author:
Simon Willison
Comment:

Re-iterated my opinion that auto escape should be on by default, because XSS is incredibly serious

Legend:

Unmodified
Added
Removed
Modified
  • VersionOneFeatures

    v56 v57  
    7474For people trying to catch up on the discussion, there are a few long threads in the django-developers archives. Two good places to start are probably [http://groups.google.com/group/django-developers/browse_frm/thread/17d1dfecd67864ab?q=autoescape& an early discussion here] and the discussion around [http://groups.google.com/group/django-developers/browse_frm/thread/7caeb86c04b81f10/9ea28abb20020437?lnk=gst&q=autoescape+willison&rnum=1#9ea28abb20020437  the original patch]. -- Malcolm. 
    7575 
     76I'm becoming more and more convinced that auto-escaping needs to be on by default. XSS holes totally compromise the security of your application - they are the "root" attack of the Web. They are stupidly easy to introduce - even Google has had them. If you aren't convinced, take a look at the notes I've collected about them: http://simonwillison.net/tags/xss/ -- Simon 
     77 
    7678=== Model Inheritance === 
    7779