Tatsuhiko Miyagawa miyagawa at gmail.com
Sat Jun 17 11:10:14 BST 2006

There is a Template Stash plugin to change the stash befavior to do
HTML escape by default.

You can write unhtml filter to revert it back when you really don't
want to escape.

On 6/16/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> > Quoting Toby Corkindale <tjc at wintrmute.net>:
> >
> > >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> > >very
> > >simple little module I've just uploaded to CPAN:
> > >Template::Plugin::XML::Escape
> > >
> > >It just escapes the naughty <>'"& characters into XML entities.
> >
> > Sounds a lot like the standard HTML filter.
> >
> > http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
> The real issue I have with all these damned things is that escaping
> isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
> does have the option of turning on HTML escaping by default.  This is a
> superb help towards stopping cross-site scripting attacks.
> Database users learnt to use placeholders years ago when they realised
> that manually quoting things was a pain in the posterior.  Why can't web
> frameworks do the same?
> -Dom
> [1] Mixing code and data like that requires a lot of discipline to keep
> things clean.  I don't have that discipline.

Tatsuhiko Miyagawa

More information about the london.pm mailing list