|=== Autoescape ===
|Autoescape only changed APIs if it was on by default. But I've (Michael Radziej) followed
|the discussion very closely, and I'm sure that the main reaction of the
|community was strictly against this. autoescape is my own favorite pet,
|but when I apply my own criteria, it wouldn't be a candidate for 1.0.
|One could argue that it will deeply affect the way templates are written
|and that they are an important step to make django applications safe,
|but the consensus about it was not that strong. Or do we want to use it
|in the admin? -- mir
|For people trying to catch up on the discussion, there are a few long threads in the django-developers archives. Two good places to start are probably [http://groups.google.com/group/django-developers/browse_frm/thread/17d1dfecd67864ab?q=autoescape& an early discussion here] and the discussion around [http://groups.google.com/group/django-developers/browse_frm/thread/7caeb86c04b81f10/9ea28abb20020437?lnk=gst&q=autoescape+willison&rnum=1#9ea28abb20020437 the original patch]. -- Malcolm.
|See also AutoEscaping and [wiki:"AutoEscape alternative" Autoescape alternative].
|I'm becoming more and more convinced that auto-escaping needs to be on by default. XSS holes totally compromise the security of your application - they are the "root" attack of the Web. They are stupidly easy to introduce - even Google has had them. If you aren't convinced, take a look at the notes I've collected about them: http://simonwillison.net/tags/xss/ -- Simon