Dave Cross dave at dave.org.uk
Fri Jun 16 15:05:05 BST 2006

Quoting Dominic Mitchell <dom at happygiraffe.net>:

> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
>> Quoting Toby Corkindale <tjc at wintrmute.net>:
>> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
>> >very
>> >simple little module I've just uploaded to CPAN:
>> >Template::Plugin::XML::Escape
>> >
>> >It just escapes the naughty <>'"& characters into XML entities.
>> Sounds a lot like the standard HTML filter.
>> http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
> The real issue I have with all these damned things is that escaping
> isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
> does have the option of turning on HTML escaping by default.  This is a
> superb help towards stopping cross-site scripting attacks.

HTML::Mason has the advantage of knowing that what it's producing will  
be HTML. TT doesn't know that. I'd get really pissed off if TT started  
doing automatic HTML entity escaping on a template that was producing  
plain text. Or a PDF.

> Database users learnt to use placeholders years ago when they realised
> that manually quoting things was a pain in the posterior.  Why can't web
> frameworks do the same?

Fair point. But TT isn't a web framework. Which is why I use it :)


More information about the london.pm mailing list