Merge branch 'master' of github.com:Pylons/pyramid

author: Chris McDonough <chrism@plope.com> 2011-05-27 22:52:26 -0400
committer: Chris McDonough <chrism@plope.com> 2011-05-27 22:52:26 -0400
commit: b90b9e03bb3ce56197c9fe8ed6c414853979805e (patch)
tree: 4676e50cae7ce60967fc60a982510cc969b7a1f0 /CHANGES.txt
parent: 2c65826a9d03282f7192ddee80f09a86d1033d98 (diff)
parent: d0f62591ceb2f6ba6efe98ccf75703e7baee687e (diff)
download: pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.tar.gz
pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.tar.bz2
pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 8b2dae7f1..9dd1af2c5 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -236,6 +236,13 @@ Deprecations
 Behavior Changes
 ----------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter.
+  For example, ${ myhtml | n }.
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - A custom request factory is now required to return a response object that
   has a ``response`` attribute (or "reified"/lazy property) if they the
   request is meant to be used in a view that uses a renderer.  This
author	Chris McDonough <chrism@plope.com>	2011-05-27 22:52:26 -0400
committer	Chris McDonough <chrism@plope.com>	2011-05-27 22:52:26 -0400
commit	b90b9e03bb3ce56197c9fe8ed6c414853979805e (patch)
tree	4676e50cae7ce60967fc60a982510cc969b7a1f0 /CHANGES.txt
parent	2c65826a9d03282f7192ddee80f09a86d1033d98 (diff)
parent	d0f62591ceb2f6ba6efe98ccf75703e7baee687e (diff)
download	pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.tar.gz pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.tar.bz2 pyramid-b90b9e03bb3ce56197c9fe8ed6c414853979805e.zip