Template::Plugin::XML::Escape

Tatsuhiko Miyagawa miyagawa at gmail.com
Sat Jun 17 11:10:14 BST 2006


There is a Template Stash plugin to change the stash befavior to do
HTML escape by default.
http://search.cpan.org/~ikebe/Template-Stash-EscapeHTML-0.01/

You can write unhtml filter to revert it back when you really don't
want to escape.


On 6/16/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> > Quoting Toby Corkindale <tjc at wintrmute.net>:
> >
> > >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> > >very
> > >simple little module I've just uploaded to CPAN:
> > >Template::Plugin::XML::Escape
> > >
> > >It just escapes the naughty <>'"& characters into XML entities.
> >
> > Sounds a lot like the standard HTML filter.
> >
> > http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
>
> The real issue I have with all these damned things is that escaping
> isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
> does have the option of turning on HTML escaping by default.  This is a
> superb help towards stopping cross-site scripting attacks.
>
> Database users learnt to use placeholders years ago when they realised
> that manually quoting things was a pain in the posterior.  Why can't web
> frameworks do the same?
>
> -Dom
>
> [1] Mixing code and data like that requires a lot of discipline to keep
> things clean.  I don't have that discipline.
>


-- 
Tatsuhiko Miyagawa


More information about the london.pm mailing list