dom at happygiraffe.net
Fri Jun 16 14:34:51 BST 2006
On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> Quoting Toby Corkindale <tjc at wintrmute.net>:
> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> >simple little module I've just uploaded to CPAN:
> >It just escapes the naughty <>'"& characters into XML entities.
> Sounds a lot like the standard HTML filter.
The real issue I have with all these damned things is that escaping
isn't done by default. As abhorrent as HTML::Mason otherwise is, it
does have the option of turning on HTML escaping by default. This is a
superb help towards stopping cross-site scripting attacks.
Database users learnt to use placeholders years ago when they realised
that manually quoting things was a pain in the posterior. Why can't web
frameworks do the same?
 Mixing code and data like that requires a lot of discipline to keep
things clean. I don't have that discipline.
More information about the london.pm