Jon Ribbens
Jon Ribbens
> @adamchainz Hi, try this one: > > ``` > In [2]: t = Template("""click me""") > ``` But that's due to a bug in your template, not a problem...
> There is no problem with `escapejs`, but it can mislead developers to trust the `escapejs` if you say _"this makes the string safe for use in HTML and JavaScript...
@carltongibson What is the problem with saying it's "safe to use in HTML"? It's true, and it doesn't violate "secure by default". What scenario is being imagined whereby a problem...
But that's what I was just saying, the current text is not "better", the current text is false, and worse than that, it's gibberish. It has no discernible meaning. There...
> It seems pretty clear TBH, much clearer than trying to specify a exact set of **safe** usages. (Recalling that **safe** means not subject to injection attacks) My patch specifies...
> We seem to be going round in circles... 🤔 > > The point about the output being unsafe is (I take it) that you can't pass arbitrary data from...
Ok. So, firstly, what does `escapejs` do *exactly*? We can see from [django/utils/html.py](https://github.com/django/django/blob/main/django/utils/html.py) that it transforms the following characters: ``` \x00-\x1f \ ' " > < & = - ;...
@apollo13 I'm not sure that everyone in the world should have to write code according to your personal opinions ;-) I would not want to see this filter removed. Having...
@apollo13 > > I would not want to see this filter removed. > > May I ask what you are using it for and why you think there are no...
Also, space should go down a page...