From 58b7d199c559f5008b81e0c46f22f0b8f03f2fa3 Mon Sep 17 00:00:00 2001 From: Carlos de la Guardia Date: Thu, 26 May 2011 18:56:46 -0700 Subject: Fix typo to close issue 196. --- docs/narr/project.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/narr/project.rst b/docs/narr/project.rst index c1558266a..e60708b6d 100644 --- a/docs/narr/project.rst +++ b/docs/narr/project.rst @@ -628,7 +628,7 @@ implementations. ``production.ini`` ~~~~~~~~~~~~~~~~~~~ -The ``development.ini`` file is a :term:`PasteDeploy` configuration file with +The ``production.ini`` file is a :term:`PasteDeploy` configuration file with a purpose much like that of ``development.ini``. However, it disables the WebError interactive debugger, replacing it with a logger which outputs exception messages to ``stderr`` by default. It also turns off template -- cgit v1.2.3 From 18b25a643bb7fe4c8dc1f832470c1cf2ff513a9e Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Fri, 27 May 2011 03:37:22 -0500 Subject: Attempt to fix issue #193 by setting mako default filter to 'h'. --- docs/whatsnew-1.1.rst | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'docs') diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst index ea56e2020..761fa8d3a 100644 --- a/docs/whatsnew-1.1.rst +++ b/docs/whatsnew-1.1.rst @@ -94,6 +94,15 @@ Minor Feature Additions Deprecations and Behavior Differences ------------------------------------- +- The default Mako renderer is now configured to escape all HTML in + expression tags. This is intended to help prevent XSS attacks caused by + rendering unsanitized input from users. To revert this behavior in user's + templates, they need to filter the expression through the 'n' filter:: + + ${ myhtml | n }. + + See https://github.com/Pylons/pyramid/issues/193. + - Deprecated all assignments to ``request.response_*`` attributes (for example ``request.response_content_type = 'foo'`` is now deprecated). Assignments and mutations of assignable request attributes that were -- cgit v1.2.3