Template Engines ¶

The main concern with template engines is what escaping they can do to prevent Cross-Site Scripting (XSS).

Warning:

None of the template engines examined here do enough escaping to prevent XSS when user-supplied data is used in unquoted HTML attributes. So...

Always quote your HTML attributes!

Name	Autoescaping Mechanism?	Autoescaping on by default?
Chameleon	?	?
Django Templating	Yes	Yes, in >= 1.0
Genshi	Yes	?
Jinja	Yes	No
Mako	Yes	No

Version: latest
Edited by Craig Younkins on 6/23/10 2:58 PM
History
Edit

Creative Commons 3.0 License

Where Am I?

You're on PythonSecurity.org, the home for security in Python.

This page

Edit
History | Feed

This wiki

All pages | Feed
Latest changes | Feed

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine