Attempt to fix issue #193 by setting mako default filter to 'h'.

author: Michael Merickel <michael@merickel.org> 2011-05-27 03:37:22 -0500
committer: Michael Merickel <michael@merickel.org> 2011-05-27 03:37:22 -0500
commit: 18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e (patch)
tree: 4676e50cae7ce60967fc60a982510cc969b7a1f0 /docs/whatsnew-1.1.rst
parent: 58b7d199c559f5008b81e0c46f22f0b8f03f2fa3 (diff)
download: pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.tar.gz
pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.tar.bz2
pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst
index ea56e2020..761fa8d3a 100644
--- a/docs/whatsnew-1.1.rst
+++ b/docs/whatsnew-1.1.rst
@@ -94,6 +94,15 @@ Minor Feature Additions
 Deprecations and Behavior Differences
 -------------------------------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter::
+
+     ${ myhtml | n }.
+
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - Deprecated all assignments to ``request.response_*`` attributes (for
   example ``request.response_content_type = 'foo'`` is now deprecated).
   Assignments and mutations of assignable request attributes that were
author	Michael Merickel <michael@merickel.org>	2011-05-27 03:37:22 -0500
committer	Michael Merickel <michael@merickel.org>	2011-05-27 03:37:22 -0500
commit	18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e (patch)
tree	4676e50cae7ce60967fc60a982510cc969b7a1f0 /docs/whatsnew-1.1.rst
parent	58b7d199c559f5008b81e0c46f22f0b8f03f2fa3 (diff)
download	pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.tar.gz pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.tar.bz2 pyramid-18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e.zip