I'd like to introduce the ESAPI Swingset [1], an application aiming to make security more transparent and exploratory. The application allows developers to learn more about security in a safe sandbox. To really understand what it's all about, take a look! There are pretty good demonstrations of cross site scripting and direct object reference. Keeping with our focus on Django, I've added a page [2] for cross site scripting that exemplifies what the Django autoescaper does, and while it protects against many attacks, it doesn't do everything.
Why is it called the ESAPI Swingset? Last year I wrote the Enterprise Security API (ESAPI) for Python [3]. It's a toolkit that helps application and framework developers write code with good security design. It includes examples of how to do authentication, access control, input validation, and more. It also includes a number of standard controls usable right out of the box - like escaping methods for all the HTML contexts necessary to fully prevent XSS. Lastly, one of my favorite parts is the intrusion detection system, a system that integrates with Python exceptions that watches for signs of an attack and can take action such as disabling a user account or blocking an IP.
I'd really appreciate your feedback on these. If you're interested in contributing to either project, the code is open source and available online [3][4]. You could contribute another encoding mechanism to the XSS section, or perhaps have a tutorial on CSRF in Django. Any ideas or contributions are welcome.