On Fri, 2006-06-09 at 14:35 +0100, Simon Willison wrote: > On 9 Jun 2006, at 14:03, Spock wrote: > > I've application where most of data is fetched from database. > > Those data are inserted by people without "trust", so in every > > template > > > > I'm using |escape filter ...so a question is : > > > > Is there is some method to enable global escape filter ? :) > > I've been thinking about this recently, and I've come to the > conclusion that we might have missed a trick by not making ALL > replacement variables escaped by default (and including a var|raw > filter for the times when you don't want stuff to be escaped). It's > probably too late to change this now though.
I thought we'd kind of reached consensus this (always escape) was a good idea last time this came up. But then it slipped into the "too hard for now" basket. Anyway, Simon no doubt remembers the arguments (since he was involved), but for others wanting to see past discussions, here are two threads that provide some background of ideas... http://groups.google.com/group/django-users/browse_frm/thread/13cf8218d3a18aad/f4648b081c90885a?q=escaping+html&rnum=1#f4648b081c90885a http://groups.google.com/group/django-developers/browse_frm/thread/e448bbdd40426915/2ee9766d0d148706?q=html+escaping&rnum=1#2ee9766d0d148706 Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
