On Monday, September 14, 2015 at 1:17:37 AM UTC+2, jasbligh wrote: > > I'd propose solving as follows > 1) use the autofocus attribute when creating the form. This will work for > IE10+ http://caniuse.com/#feat=autofocus It can also be done by including > a creating a few targeted one line js files and including instead of the > inline. It just seems a lot of http overhead to save users of two old > browsers having to click into a text input. >
Why would we need one-line js files? If we decide against the autofocus attribute (this might get a little bit hard with the forms framework), we can still put a data-autofocus="#someif" into the body element and then add a handler for that. > 2) use <script type="application/json" technique instead. > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#HTML_entity_encoding > > <https://www.google.com/url?q=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FXSS_%2528Cross_Site_Scripting%2529_Prevention_Cheat_Sheet%23HTML_entity_encoding&sa=D&sntz=1&usg=AFQjCNGcE78hK_TQMoGkHbDhhc4im0kAlg> > Makes sense, depending on the actual parameters data attributes could make sense too for a few things. Oh, btw please do not handwrite JSON in templates, either do it in the view or use a filter to actually create JSON which then only needs to go through the autoescape filter I think (In that sense there is also not really a need for escapejs as far as I see it, but I might be wrong). 3) instead of hrefs pointing to javascript:void(0) change these to simply > #javascriptvoid. Other places use code inline code in the javascript: href. > These could be changed to use #javascriptvoid too and the code moved to a > function that is linked to the element using jQuery or the addEvent method > from core.js as appropriate. > Sounds good, do we need a target for the hrefs at all though? Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a10e49d9-32c8-475a-ae13-f07dcc8d3b5e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
