Home Login Create account Contact Help
Close

Login to your account

Other Options

Comments feed

In response to XML or Text for Python Templates?

There are a number of (very good) templating systems and languages available for Python. They fall in to one of two camps; either they are XML based, like Genshi, or they are text based, like Mako. Most programmers favour one or the other, but there is far from a consensus over which is better.

I'd like to use this debate to gather reasons for using one over the other in the context of web development. I suspect there will be no clear winner, but it should serve as a useful resource for those faced with the decision!

...

NB. You can post code with the [code] bbcode tag. Many languages are supported. e.g.

[code python]

print "Hello, World!"

[/code] 



Martijn Faassen argues for "XML"
Mon, 15 Oct 2007 by faassen
Rank 1. Average +1.6 ( 5 votes )

When programming (X)HTML templates, it is important for security reasons to escape any user-generated input, as otherwise users may be able to sneak arbitrary HTML into a page that other uses see. XML-based templating languages such as ZPT or Genshi support automatic escaping by default. Text-based templating languages such as Django's and Mako apparently do not. The knowledge of the underlying XML structure may make automatic escaping more easier to implement. While the lack of this security feature may not be an inherent shortcoming of text-based templating languages, it does at least seem to be a cultural difference.

Log in to add a comment
Simon Willison comments...
Mon, 15 Oct 2007 by simonw
I 100% agree that template systems designed for the Web should escape variable output by default, but this is not something that is unique to XML template languages. Auto-escaping for Django's template system has been under discussion for quite a while and is likely to go in before Django 1.0 ships: http://code.djangoproject.com/wiki/AutoEscaping [code.djangoproject.com]

[ Made url clickable - admin ]
Log in to reply Permalink
Martijn Faassen comments...
Tue, 16 Oct 2007 by faassen
Good to hear it's going in. Last I heard about this debate in the Django community it wasn't certain yet. This significantly weakens this argument though, even the already much weaker "cultural difference" variety.


Log in to reply Permalink
mike comments...
Tue, 16 Oct 2007 by zzzeek
I think theres a bit of a strawman going on here....being a non-XML template system and having expression escaping on by default are not mutually exclusive; so this is not really an argument to use "an XML template system", at best its an argument to not use Mako or Django, and even then only due to the notion that "having global expression escaping *available* is not enough; it must be *on by default* otherwise people will never be smart enough to turn it on". Of course these systems support global expression escaping as an option (and mako supports it per config, per page, per expression, in reverse as well..so theres no issue of the feature not being available).

But even the "its not on by default" argument fades when you see that a web framework like Pylons *can* make the decision to turn on Mako's expression escaping, and that's the appropriate place for it, i.e. the application level which is aware that we are generating markup, such as HTML or XML. Mako by itself has no idea you're generating HTML/XML-style markup so cannot turn such a feature on "by default". An XML-only system of course can make this assumption, since only generates XML markup. But if we're concerned about novice users (and i cant imagine who else we are worried about with this one), its a non-issue; they're going to use Pylons or Django, not the template systems by themselves, and those frameworks can make appropriate decisions regarding escaping settings. If a novice user is writing his or her own web framework with which to embed Mako, there's a lot more security holes to be aware of than just expression escaping.
Log in to reply Permalink
Martijn Faassen comments...
Tue, 16 Oct 2007 by faassen
Sure, it's not the strongest of argument and your points about Mako (and Simon's point about Django's templating system above) weaken it further.
Log in to reply Permalink
Mario Ruggier comments...
Fri, 21 Mar 2008 by mario
Martijn
Text-based templating languages such as Django's and Mako apparently do not .


Both Evoque [evoque.gizmojo.org] and Qpy [mems-exchange.org] text templating systems do automatic escaping by default.

They achieve this by the use of the h8 quoted-string class from Qpy -- the key feature is its infectiousness i.e. that concatenation with other non-h8 strings will cause those other strings to be cast to h8 strings, i.e. escaped. This guarantees that all input is always quoted and quoted only once, and can claim guaranteed automatic cross-site scripting protection.

Neither of these templates know or assume anything about the application's context. And if you do not want to escape, there is a simple way to explicitly state that. Evoque [evoque.gizmojo.org] takes this a little step further by allowing for any quoted-string class to be specified on a per template basis.
Log in to reply Permalink


Return to debate
Copyright © 2007 Will McGugan