Dominic Mitchell dom at happygiraffe.net
Fri Jun 16 14:34:51 BST 2006

On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> Quoting Toby Corkindale <tjc at wintrmute.net>:
> >Maybe I've just re-invented the wheel, but in case I haven't, there's a 
> >very
> >simple little module I've just uploaded to CPAN:   
> >Template::Plugin::XML::Escape
> >
> >It just escapes the naughty <>'"& characters into XML entities.
> Sounds a lot like the standard HTML filter.
> http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html

The real issue I have with all these damned things is that escaping
isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
does have the option of turning on HTML escaping by default.  This is a
superb help towards stopping cross-site scripting attacks.

Database users learnt to use placeholders years ago when they realised
that manually quoting things was a pain in the posterior.  Why can't web
frameworks do the same?


[1] Mixing code and data like that requires a lot of discipline to keep
things clean.  I don't have that discipline.

More information about the london.pm mailing list