I've been thinking about auto-escaping (due to another app I was having
issues with, and read the various auto-escaping proposals here on
Django-dev. I realise that this is largely solved by [1] and [2], but
just thought of another solution which might be easier than explicitly
turning auto-escaping on and off per-template. I think this is likely
to get rather annoying, as people are more likely to want escaping on
or off depending on the variable and not at the template level.
Didn't see anyone mention this in the various threads here, so I'm just
raising it now (a few months late!) to cover all alternatives.
Proposal: why not add another template tag marker to display RAW
entries e.g. {< foo >} vs. {{ foo }}. For example the string:
foo = """blah <script>alert('hi!');</script>"""
{< foo >} will display it raw, whilst {{ foo }} will display it as html
escaped ( i.e. as the equivalent of {{ foo|escape }} )
You could do it the other way around - keep {{ }} as is, to save
backwards compat (probably the best solution), and have the alternate
tokens as {< >} (again, I just chose these as they're very noticable -
which will help when scanning templates for issues ).
This does, of course, add an extra level of complexity, but I think
it'll be easier to use, and tider (just looking at the number of
templates I have with |escape scattered everywhere ).
Comments?
--Simon
[1] http://code.djangoproject.com/wiki/AutoEscaping
[2] http://code.djangoproject.com/ticket/2359
Have you checked out my AutoEscaping alternative?
(http://code.djangoproject.com/wiki/AutoEscape%20alternative#SuggestedSolution)
It's simple and effective ;)
You can find that discussion here:
Cheers,
Alan.
--
Alan Green
al...@bright-green.com - http://bright-green.com
Thanks guys - I'm going back to bed :-)
--Simon