Version 57 (modified by Simon Willison, 13 years ago) (diff)

Re-iterated my opinion that auto escape should be on by default, because XSS is incredibly serious

Version 1.0 feature list

Features Intended for 1.0

The following features have either been decided to go into 1.0 or are under discussion.

Feature Leader Changes API? Implementation status Tickets
newforms Adrian Yes on the way
serialization Jacob No feature not clearly defined #2930, #2843, #2650, #2553
authentication Joseph Yes done
generic relations Malcolm Yes not done
comments Jacob No not started
oracle ? No almost there
ms sql server ? No ?
test fixtures Russ No almost there #2333
root views/url reversal ? Yes Not started #2977
autoescape Malcolm No almost there #2359
model inheritance Malcolm Unclear started
windows installers ? No not started
DecimalField adurdin Yes started #200, #2365

Delayed Features

Left to those who decide ;-)

Comments about Specific Features


#2930 has not been decided and does not include a patch.

#2843 is not changes the API only in a compatible way and there is no decision in the ticket.

#2650 is a bug and not an enhancement, and it does not include a patch but complete files (but bug fixes should go in 1.0 anyway, if possible).

#2553 proposes to make generic views respond in formats other than html, and it does not go into details nor does it include a patch. From the description it isn't clear what it actually proposes, but it looks like a compatible change.


Jacob plans to rewrite them for newforms. This change rather belongs into the category 'newforms'. Is it really necessary to rewrite the comments in 1.0? Other than the changes in admin, the comments system rewrite shouldn't directly influence the API of newforms. -- mir


While it doesn't change APIs, having an oracle backend is great for the 1.0 release, even if it doesn't contribute to the #1 goal. And there is great impetus behind it.

Root View and URL Reversal

The root view proposal was blocked by the problem of url reversal. A few possible solutions have been brought up that had some disadvantages, and nobody of the core team has commented on this.


Autoescape only changed APIs if it was on by default. But I've (Michael Radziej) followed the discussion very closely, and I'm sure that the main reaction of the community was strictly against this. autoescape is my own favorite pet, but when I apply my own criteria, it wouldn't be a candidate for 1.0. One could argue that it will deeply affect the way templates are written and that they are an important step to make django applications safe, but the consensus about it was not that strong. Or do we want to use it in the admin? -- mir

For people trying to catch up on the discussion, there are a few long threads in the django-developers archives. Two good places to start are probably an early discussion here and the discussion around the original patch. -- Malcolm.

I'm becoming more and more convinced that auto-escaping needs to be on by default. XSS holes totally compromise the security of your application - they are the "root" attack of the Web. They are stupidly easy to introduce - even Google has had them. If you aren't convinced, take a look at the notes I've collected about them: -- Simon

Model Inheritance

The latest description of the API and implementation details is in this thread.


models.FloatField would always return floats (not Decimals), and introspection of DECIMAL columns would yield DecimalFields (not FloatField). The parameters to FloatField would also change (no precision, etc.).

See also this thread.

Back to Top