Forum OpenACS Development: Re: HTML quoting in the templating system

Collapse
Posted by Jeff Davis on
No Eduardo, this is not a hack given that in the majority of cases the variables should in fact be quoted. The default behavior should be what is most common. Doing it this way means that if someone is either inexperienced or careless you still get a page which is not susceptible to cross site scripting exploits, and the way it breaks is obvious and easy to fix.

Doing it the other way around makes the failure mode silent and exposes your site to a security risk.