Am Fr., 4. Juni 2021 um 15:42 Uhr schrieb Richard Damon <Richard@damon-family.org>:
I think one fundamental problem is that you can’t detect programmatically if a string needs to be escaped or not.

For instance, the sequence &amp; might be an already escaped & or it might be the text to tell you how to escape an ampersand and needs to be converted to &amp;amp;


That's a problem which Python can't solve. This is up to the consumer of InterpolationTemplate.

In the django world, it is solved via conditional_escape(): https://github.com/django/django/blob/3.2.4/django/utils/html.py#L92


Regards,
  Thomas

 
Promoting sloppy coding by handling the most common cases is the way to it easier to create security vulnerabilities.

Maybe if escaped strings had a different type than unescaped strings, but then you need a bunch of different types for different rules for escaping.