From 18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 27 May 2011 03:37:22 -0500
Subject: Attempt to fix issue #193 by setting mako default filter to 'h'.

---
 CHANGES.txt | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'CHANGES.txt')

diff --git a/CHANGES.txt b/CHANGES.txt
index 8b2dae7f1..9dd1af2c5 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -236,6 +236,13 @@ Deprecations
 Behavior Changes
 ----------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter.
+  For example, ${ myhtml | n }.
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - A custom request factory is now required to return a response object that
   has a ``response`` attribute (or "reified"/lazy property) if they the
   request is meant to be used in a view that uses a renderer.  This
-- 
cgit v1.2.3