> Simon Willison wrote:
>> I've written up a proposal for how we can implement auto escaping
>> while hopefully keeping most people happy:

>> http://code.djangoproject.com/wiki/AutoEscaping

> A very nice solution, with a good method of automatically flagging
> things as escaped or not; but it seems to me more complicated than is
> needed. And, of course there's more than just html escaping needed;
> URLs should be escaped differently, and other values intended to be
> used as attributes also need a different escape filter -- I'm not sure
> your proposal will allow these to be handled correctly and
> conveniently. So here's another idea to throw into the soup:

> Having the context aware of the primary escaping needs of the  
> output is
> a nice idea, but as James Bennett pointed out, the template is what
> should be making the decision.  Suppose the template render had a
> "default filter" that would get applied to all otherwise unfiltered
> output?  Obviously, the default value for this would be
> django.template.defaultfilters.escape  -- but it could be set to
> another filter for JSON output, or to None for plain text.  One
> possible mechanism for doing this would be a {% default_filter ... %}
> tag in the template...?

> Assuming the default, then {{name}} would be the equivalent of
> {{name|escape}}, whereas <a href="{{myurl|urlencode}}"> would remain
> unchanged, and a new filter "raw" (just a pass-thru) could be used for
> situations like <script>{{myscript|raw}}</script>.

> The main drawback I see with this is that the behaviour of
> {{mylist|count}} is not obviously unescaped.  Perhaps having all  
> output
> piped through the default filter unless it is piped through the "raw"
> filter (which could perhaps be handled using Michael's escaped
> strings)?

> Andrew