Template::Plugin::XML::Escape
Dominic Mitchell
dom at happygiraffe.net
Fri Jun 16 14:34:51 BST 2006
On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> Quoting Toby Corkindale <tjc at wintrmute.net>:
>
> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> >very
> >simple little module I've just uploaded to CPAN:
> >Template::Plugin::XML::Escape
> >
> >It just escapes the naughty <>'"& characters into XML entities.
>
> Sounds a lot like the standard HTML filter.
>
> http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
The real issue I have with all these damned things is that escaping
isn't done by default. As abhorrent as HTML::Mason otherwise is[1], it
does have the option of turning on HTML escaping by default. This is a
superb help towards stopping cross-site scripting attacks.
Database users learnt to use placeholders years ago when they realised
that manually quoting things was a pain in the posterior. Why can't web
frameworks do the same?
-Dom
[1] Mixing code and data like that requires a lot of discipline to keep
things clean. I don't have that discipline.
More information about the london.pm
mailing list