Am Fr., 4. Juni 2021 um 15:42 Uhr schrieb Richard Damon < [email protected]>:
> I think one fundamental problem is that you can’t detect programmatically > if a string needs to be escaped or not. > > For instance, the sequence & might be an already escaped & or it might > be the text to tell you how to escape an ampersand and needs to be > converted to &amp; > > That's a problem which Python can't solve. This is up to the consumer of InterpolationTemplate. In the django world, it is solved via conditional_escape(): https://github.com/django/django/blob/3.2.4/django/utils/html.py#L92 Regards, Thomas > Promoting sloppy coding by handling the most common cases is the way to it > easier to create security vulnerabilities. > > Maybe if escaped strings had a different type than unescaped strings, but > then you need a bunch of different types for different rules for escaping. >
_______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/YQIONRVFKONSW3YO23KVHMJNFHQNLSRW/ Code of Conduct: http://python.org/psf/codeofconduct/
