[Grok-dev] zope has auto-escaping by default of variables to protect against XSS attacks

Martijn Faassen faassen at startifact.com
Wed Nov 14 20:31:09 EST 2007


Hi there,

I was just highly amused to read this headline as #3 on 
programming.reddit.com:

Just checked in to Django trunk: auto-escaping of all variables in 
templates, to protect against XSS attacks by default

It links to here:

http://www.djangoproject.com/documentation/templates/#automatic-html-escaping

Of course the Django developers didn't make this the "news" themselves, 
but it's still funny that people apparently consider this as news worth 
mentioning. It just landed on the *trunk*, it isn't even released yet. 
Zope has been doing this for a while. A long while. The Zope community 
(ZC in particular, I think) was actually one of the first to do 
something about it, in the year 2000.

This shows how good the Django project is about getting promoted, I guess.

Quoting Zope Weekly News from 2000:

"there's also going to be a "talk on the CERT Advisory", 
http://www.oreillynet.com/pub/w/evening_events.html about cross-site 
scripting, a web-wide security issue that the Zope Community was among 
the first to begin implementing security policies for: they'll land with 
zope 2.2."

So, back in 2000 we did announce this as news, but then again this was 
the time of the first CERT advisory on the topic, so it *was* news.

http://www.linuxtoday.com/news_story.php3?ltsn=2000-06-07-010-04-OS-SW

(Hey. I help man that Zope booth at that Linux Tag that year, I think! 
First time I met Stephan Richter as well, among other. Stephan organized 
it. Already a busy bee then, and never changed :)

Regards,

Martijn



More information about the Grok-dev mailing list