Dominic Mitchell dom at happygiraffe.net
Sat Jun 17 10:56:13 BST 2006

Dave Cross wrote:
> Quoting Dominic Mitchell <dom at happygiraffe.net>:
>> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
>>> Quoting Toby Corkindale <tjc at wintrmute.net>:
>>> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
>>> >very
>>> >simple little module I've just uploaded to CPAN:
>>> >Template::Plugin::XML::Escape
>>> >
>>> >It just escapes the naughty <>'"& characters into XML entities.
>>> Sounds a lot like the standard HTML filter.
>>> http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html 
>> The real issue I have with all these damned things is that escaping
>> isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
>> does have the option of turning on HTML escaping by default.  This is a
>> superb help towards stopping cross-site scripting attacks.
> HTML::Mason has the advantage of knowing that what it's producing will 
> be HTML. TT doesn't know that. I'd get really pissed off if TT started 
> doing automatic HTML entity escaping on a template that was producing 
> plain text. Or a PDF.

Good point.  But I reckon it's still used for a lot of web stuff.  To be 
honest, I don't mean to pick on TT in particular, more on web-templating 
systems in general.

>> Database users learnt to use placeholders years ago when they realised
>> that manually quoting things was a pain in the posterior.  Why can't web
>> frameworks do the same?
> Fair point. But TT isn't a web framework. Which is why I use it :)

I don't disagree -- it's damned useful.


More information about the london.pm mailing list