22.3. Avoiding Common Security Pitfalls
There are three common security problems in web applications: buffer overruns, Cross-Site Scripting (XSS) attacks, and SQL injection attacks. Because TurboGears applications are written in Python, your potential exposure to buffer overuns is minimal.
That leaves XSS and SQL injection attacks. XSS is made possible when user input is rendered to HTML without being escaped. Fortunately Kid escapes everything you insert into your template for you automatically. As a result, the only time you need to think about XSS attacks is when you are using Kid's XML function to bypass escaping.
In addition, SQLObject automatically escapes any strings you pass into it; so, unless you are constructing SQL by hand, you don't have to worry about SQL injection attacks.
Both SQL injection attacks and XSS attacks are subclasses of the same problem. User data is executed rather than processed as data. It's possible to do this in Python too; you want to be very careful when using the exec statement anywhere even remotely near user-entered data.