Template::Plugin::XML::Escape
Dominic Mitchell
dom at happygiraffe.net
Sat Jun 17 10:56:13 BST 2006
Dave Cross wrote:
> Quoting Dominic Mitchell <dom at happygiraffe.net>:
>
>> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
>>> Quoting Toby Corkindale <tjc at wintrmute.net>:
>>>
>>> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
>>> >very
>>> >simple little module I've just uploaded to CPAN:
>>> >Template::Plugin::XML::Escape
>>> >
>>> >It just escapes the naughty <>'"& characters into XML entities.
>>>
>>> Sounds a lot like the standard HTML filter.
>>>
>>> http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
>>>
>>
>> The real issue I have with all these damned things is that escaping
>> isn't done by default. As abhorrent as HTML::Mason otherwise is[1], it
>> does have the option of turning on HTML escaping by default. This is a
>> superb help towards stopping cross-site scripting attacks.
>
> HTML::Mason has the advantage of knowing that what it's producing will
> be HTML. TT doesn't know that. I'd get really pissed off if TT started
> doing automatic HTML entity escaping on a template that was producing
> plain text. Or a PDF.
Good point. But I reckon it's still used for a lot of web stuff. To be
honest, I don't mean to pick on TT in particular, more on web-templating
systems in general.
>> Database users learnt to use placeholders years ago when they realised
>> that manually quoting things was a pain in the posterior. Why can't web
>> frameworks do the same?
>
> Fair point. But TT isn't a web framework. Which is why I use it :)
I don't disagree -- it's damned useful.
-Dom
More information about the london.pm
mailing list