[Grok-dev] zope has auto-escaping by default of variables to
protect against XSS attacks
Martijn Faassen
faassen at startifact.com
Wed Nov 14 20:31:09 EST 2007
Hi there,
I was just highly amused to read this headline as #3 on
programming.reddit.com:
Just checked in to Django trunk: auto-escaping of all variables in
templates, to protect against XSS attacks by default
It links to here:
http://www.djangoproject.com/documentation/templates/#automatic-html-escaping
Of course the Django developers didn't make this the "news" themselves,
but it's still funny that people apparently consider this as news worth
mentioning. It just landed on the *trunk*, it isn't even released yet.
Zope has been doing this for a while. A long while. The Zope community
(ZC in particular, I think) was actually one of the first to do
something about it, in the year 2000.
This shows how good the Django project is about getting promoted, I guess.
Quoting Zope Weekly News from 2000:
"there's also going to be a "talk on the CERT Advisory",
http://www.oreillynet.com/pub/w/evening_events.html about cross-site
scripting, a web-wide security issue that the Zope Community was among
the first to begin implementing security policies for: they'll land with
zope 2.2."
So, back in 2000 we did announce this as news, but then again this was
the time of the first CERT advisory on the topic, so it *was* news.
http://www.linuxtoday.com/news_story.php3?ltsn=2000-06-07-010-04-OS-SW
(Hey. I help man that Zope booth at that Linux Tag that year, I think!
First time I met Stephan Richter as well, among other. Stephan organized
it. Already a busy bee then, and never changed :)
Regards,
Martijn
More information about the Grok-dev
mailing list