According to Simon Willison, Django now has auto-escaping of variable contents within templates. Good job.

I wouldn't even consider using a framework that didn't provide some sort of sane system for auto-quoting that which has not already been explicitly declared as safe. Both Quixote and QP have had this feature for many years.

Quixote's PTL template approach gained this capability circa 2002; QP's QPY, which is a very close cousin to PTL but decoupled from the web framework itself, has always had this ability.

In October 2003 one of Quixote's original authors, Neil Schemenauer, put forward a proposal that ultimately led to the implementation of a sane auto-quoting behaviour in PTL templates. (See also his PyCon 2003 talk)

In the fall of 2005 QP - a slightly more opinionated version of Quixote - was born of the same development shop, along with QPY, an unbundling of the PTL concept with string-like classes that make it easy to work with, virtually interchangeably, quote-aware and plain str / unicode objects.

QPY's smart string-like classes could be used by any templating system or web framework that hasn't solved this problem already.