Automatic Escaping is Not a “Newbie Feature”

1 August 2007

A thread was started on the Django Development Mailing List about picking up the work Simon Willison started over a year ago on the AutoEscaping proposal. Which is a good idea, to be sure.

Jacob Kaplan-Moss on that thread:

Experienced developers like you and me are gonna hate this since it feels like making Django not trust us any more.

However, there's a huge number of not-so-experienced developers out there, and we have to keep their best needs in mind. Again with the PHP: we've seen how well trusting developers not to write security holes works. Anything we can do to prevent newbies from XSS attacks, we should.

(I'll resist commenting on the “it feels like making Django not trust us any more” line, which I find kind of ironic, personally. Anyway…)

Does that sound a bit like “I´m smart, I don´t need no stinking garbage collection!” to anyone else?

Face it, escaping and cross-site scripting are not “newbie” problems. It happens to all of us. As do e.g. buffer overflows, in languages that allow them to happen.

Django is supposed to be about developing quality web applications rapidly. Automatic escaping is not just about protecting your “users from shooting themselves in the foot”, it's about security by default and enhanced productivity. Seriously, am I the only one who is annoyed to no end by having to remember those silly things you need to add to 90% of your variable substitutions in templates to have them escaped? (And, by the way, if your number is lower than 90%, something's seriously wrong about the design of your application).

I understand this stuff isn't trivial. With a large code base, a too simplistic implementation of automatic escaping can easily makes matters worse. That's why Genshi provides a framework for this stuff, and works best when you use this framework throughout all the parts of your application that happen to be producing markup.