Comment on auto-escaping proposals

0 views
Skip to first unread message

d...@simon.net.nz

unread,
Sep 12, 2006, 6:00:33 PM9/12/06
to Django developers
Hi guys,

I've been thinking about auto-escaping (due to another app I was having
issues with, and read the various auto-escaping proposals here on
Django-dev. I realise that this is largely solved by [1] and [2], but
just thought of another solution which might be easier than explicitly
turning auto-escaping on and off per-template. I think this is likely
to get rather annoying, as people are more likely to want escaping on
or off depending on the variable and not at the template level.

Didn't see anyone mention this in the various threads here, so I'm just
raising it now (a few months late!) to cover all alternatives.

Proposal: why not add another template tag marker to display RAW
entries e.g. {< foo >} vs. {{ foo }}. For example the string:

foo = """blah <script>alert('hi!');</script>"""

{< foo >} will display it raw, whilst {{ foo }} will display it as html
escaped ( i.e. as the equivalent of {{ foo|escape }} )

You could do it the other way around - keep {{ }} as is, to save
backwards compat (probably the best solution), and have the alternate
tokens as {< >} (again, I just chose these as they're very noticable -
which will help when scanning templates for issues ).

This does, of course, add an extra level of complexity, but I think
it'll be easier to use, and tider (just looking at the number of
templates I have with |escape scattered everywhere ).

Comments?

--Simon

[1] http://code.djangoproject.com/wiki/AutoEscaping
[2] http://code.djangoproject.com/ticket/2359

SmileyChris

unread,
Sep 12, 2006, 8:00:47 PM9/12/06
to Django developers
This suggestion was dismissed pretty fast last time it brought up. I
don't think this is the direction that the Django developers want to go
down.

Have you checked out my AutoEscaping alternative?
(http://code.djangoproject.com/wiki/AutoEscape%20alternative#SuggestedSolution)
It's simple and effective ;)

Alan Green

unread,
Sep 12, 2006, 8:10:23 PM9/12/06
to django-d...@googlegroups.com
On 9/13/06, SmileyChris <smile...@gmail.com> wrote:
>
> This suggestion was dismissed pretty fast last time it brought up. I
> don't think this is the direction that the Django developers want to go
> down.
>

You can find that discussion here:

http://groups.google.com/group/django-developers/browse_thread/thread/9d14bc19120c2d49/5c7bf721a18a0465?#5c7bf721a18a0465

Cheers,

Alan.
--
Alan Green
al...@bright-green.com - http://bright-green.com

d...@simon.net.nz

unread,
Sep 12, 2006, 8:28:08 PM9/12/06
to Django developers
Right. I somehow missed that entire conversation!

Thanks guys - I'm going back to bed :-)

--Simon

Reply all
Reply to author
Forward
0 new messages