My streak ends
First up, the bad news: my streak of one Django-related post per day in November is going to come to an end tomorrow. Some Thanksgiving plans (technically pre-Thanksgiving by a week, but nothing wrong with celebrating a little early) I’d had which were first on, then off, and are now on again, will be taking me out of town and probably offline from tomorrow morning through Sunday night. I toyed with the idea of putting together four entries and post-dating them to show up at the right times, but things have been a bit hectic lately and it just didn’t work out.
But there’s good news, in the form of automatic escaping of template output, which landed in Django’s trunk today. This is a feature that’s been kicking around for a while, with a lot of heated debate, and Malcolm finally sat down and implemented it properly. What this means is that the output of template variables — anything that’s wrapped in `{{ and }} in your templates — will automatically be escaped; characters which have special meaning in HTML, and which, if you display them directly from certain sources, could open up cross-site scripting vulnerabilties, will automatically be replaced with the appropriate character entities.
Before anyone goes shouting about it, it’s configurable; you can turn it off if you don’t want it. And it doesn’t work like PHP‘s god-awful magic_quotes; turning it off happens right in the template where you can see it, and it doesn’t touch incoming data. Go see the auto-escaping documentation for all the details.
One other piece of good news, in case you haven’t seen it: the Django book is going to press. The site hasn’t updated with the final version (which fills in the last couple chapters and has undergone final editing) yet, but I’d imagine that’ll happen once the book is on shelves. Jacob and Adrian deserve a huge round of thanks for putting in all the hard work to provide a great free resource to the Django community (I don’t know exactly how well you do on royalties from a book you give away online, but I’d guess they aren’t going to make huge amounts of money on it).
I’ll be back late Sunday night, and hopefully I’ll resume daily posting on Monday; my apologies for the brief lapse, and I’ll see if I can’t use the actual Thanksgiving holiday to crank out a little extra material to make up for it.
Feed of latest entries
November 15, 2007
#
Before you ended the series I was expecting some article/tip on how you manage path settings in your django projects. What I mean is, settings like TEMPLATE_DIRS and MEDIA_ROOT are expected to be absolute paths, and this makes sharing settings difficult. Sure you have to modify the settings file for database for example on all machines, expecting developers to modify few more settings is not such a big deal, but its a hassle. I usually have two or three copies of code checked out, one per bug that I am working on, and database setting remains same across all my developer machines, so the only thing I have to modify is the absolute paths.
I am using the following actually to make paths relative:
import path # SETTINGS_FILE_FOLDER = path.path(file).parent
TEMPLATE_DIRS = ( SETTINGS_FILE_FOLDER.joinpath(“templates”), ) MEDIA_ROOT = SETTINGS_FILE_FOLDER.joinpath(‘static’)
This way, throughout my code I can make all paths relative to my project.
November 15, 2007
#
Thank you so frigging much for the past several incredibly useful and informative entries. I’m actually glad you’re slacking off because I haven’t finished absorbing everything yet! Anyway, see you when you come back!
November 15, 2007
#
The new autoescaping feature threw me at first, but only until I saw the note at Simon Willison’s blog. Bypassing autoescape was easy to implement even for a relative newbie like me. Since I’m not using forms (yet), I just slapped
{% autoescape off %}and{% endautoescape %}at the beginning and end of my base templates.I imagine if you have a ton of “public” forms to escape this could be a bit more of a pain—but that still doesn’t justify the hate directed toward Malcolm. (Well, nothing would justify it, but still!)
Have a happy pre-Thanksgiving!
November 17, 2007
#
Thank you very much for all your useful entries until now. What do you think about an entry about debuging django. I just recently setup eclipse + pydev to work with django and the eclipse debugger works like a charm.
November 20, 2007
#
Thanks James. This has definitely been my favourite blog for the last little while when it comes to things of Django :)
Hope your Thanksgiving is awesome.
November 20, 2007
#
I just wanted to throw my thanks in for the great posts you make concerning Django, not just this month but in the past as well. Whenever I want to brush up on Django tips and tricks I always browse the archives here. I hope you have a better Thanksgiving than me; something tells me KBR won’t be making the best spread for us suckers here in Afghanistan ;)
November 23, 2007
#
Great job with these posts! Thanks so much!!