Simon Willison’s Weblog

Django 1.0 alpha release notes. The big features are newforms-admin, unicode everywhere, the queryset-refactor ORM improvements and auto-escaping in templates.

# 22nd July 2008, 6:04 am / alpha, autoescaping, django, newformsadmin, orm, python, querysetrefactor, unicode

Jinja2 Final aka Jinjavitus Released. The Jinja template engine now has auto-escaping as an optional feature, disabled by default. Worth considering as an almost drop-in replacement for Django’s template language if features such as macros and compilation to Python code appeal to you.

# 19th July 2008, 11:52 pm / autoescaping, django, jinja, python

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.

# 1st December 2007, 8:34 pm / autoescaping, django, rails, security, xss

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default.

# 14th November 2007, 5:05 pm / autoescaping, django, malcolmtredinnick, python, security, templating, xss