

Google Security Team: Reducing XSS with Context-Aware Escaping in Templates - mbrubeck
http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html

======
tptacek
This is nice, but in no way game-changing. It's true that a lot of XSS slips
by because people forget about attribute quoting rules, and (more rarely)
expand content directly into inline JS. But it's also true that most XSS still
occurs in straight-up content, which is a setting for which every mainstream
framework already has effective filtering.

~~~
mbrubeck
The problem with most auto-escaping templates is that they may save typing (by
turning on escaping by default, rather than making developers do it
explicitly), they don't save _thinking_. You still need to inspect each
template and make sure that the correct escaping is used for each interpolated
string. Context-aware systems like this one (or others that operate directly
on structured data rather than strings) allow you to rely to a much greater
extent on the computer for that work.

~~~
tptacek
I agree that it is at least convenient.

