[Grok-dev] zope has auto-escaping by default of variables to
protect against XSS attacks
faassen at startifact.com
Wed Nov 14 20:31:09 EST 2007
I was just highly amused to read this headline as #3 on
Just checked in to Django trunk: auto-escaping of all variables in
templates, to protect against XSS attacks by default
It links to here:
Of course the Django developers didn't make this the "news" themselves,
but it's still funny that people apparently consider this as news worth
mentioning. It just landed on the *trunk*, it isn't even released yet.
Zope has been doing this for a while. A long while. The Zope community
(ZC in particular, I think) was actually one of the first to do
something about it, in the year 2000.
This shows how good the Django project is about getting promoted, I guess.
Quoting Zope Weekly News from 2000:
"there's also going to be a "talk on the CERT Advisory",
http://www.oreillynet.com/pub/w/evening_events.html about cross-site
scripting, a web-wide security issue that the Zope Community was among
the first to begin implementing security policies for: they'll land with
So, back in 2000 we did announce this as news, but then again this was
the time of the first CERT advisory on the topic, so it *was* news.
(Hey. I help man that Zope booth at that Linux Tag that year, I think!
First time I met Stephan Richter as well, among other. Stephan organized
it. Already a busy bee then, and never changed :)
More information about the Grok-dev