Google Groups Home
Help | Sign in
Django developers
Home
+ new post
About this group
Join this group
Message from discussion Proposal: default escaping
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
James Bennett  
View profile
  More options Jun 18 2006, 2:54 am
From: "James Bennett" <ubernost...@gmail.com>
Date: Sun, 18 Jun 2006 01:54:25 -0500
Local: Sun, Jun 18 2006 2:54 am
Subject: Re: Proposal: default escaping
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
On 6/16/06, Christopher Lenz <cml...@gmx.de> wrote:

> To reiterate: templates shouldn't need to care about escaping. Django
> *in particular* uses an intentionally dumbed down template system
> that is supposed to be easy for non-programmers, which includes the
> notion that little mistakes in templates shouldn't break the site or
> even introduce security holes.

The problem here, architecture-wise, is that the template is the thing
that cares about what output looks like. Moving the decision of
whether to escape or not into some other part of the stack breaks with
that and introduces the possibility of frustrating inconsistency in
the templating system; explaining to a template author why {{ foo }}
escapes in one case but not another, based on (to the template author)
black magic happening in the backend isn't something I particularly
want to do.

> IMHO, a real solution for this problem is that any normal string
> inserted into template output is escaped by default. This does not
> necessarily mean that there needs to be an unescape filter, though.

Yes. Yes, it does.

> In fact, most of the time Django components that generate a string
> they *know* that they are generating text that must not be escaped,
> such as the output of the markdown filter, or form field render()
> results. Those places should flag the strings they are generating in
> some way (for example by wrapping them in a special class), thereby
> signaling to the template system that those strings should not be
> escaped again.

As someone who's followed various RSS-related discussions for a long
time, I can say that having multiple layers of a system have to worry
about whether the other layers have escaped or unescaped something is
a very special kind of hell that I don't want Django to get mired in.

But beyond that, it feels like a violation of loose coupling; doing
this would bind Django components to each other in ways that don't
feel right.

My vote is for escaping being off unless explicitly turned on, and for
it being turned on in the template.

--
"May the forces of evil become confused on the way to your house."
  -- George Carlin


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google