tjc at wintrmute.net
Tue Jul 4 15:57:31 BST 2006
On Sat, Jun 17, 2006 at 07:10:14PM +0900, Tatsuhiko Miyagawa wrote:
> There is a Template Stash plugin to change the stash befavior to do
> HTML escape by default.
> You can write unhtml filter to revert it back when you really don't
> want to escape.
Cheers, definately was worth a look.
> On 6/16/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> >On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> >> Quoting Toby Corkindale <tjc at wintrmute.net>:
> >> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> >> >very
> >> >simple little module I've just uploaded to CPAN:
> >> >Template::Plugin::XML::Escape
> >> >
> >> >It just escapes the naughty <>'"& characters into XML entities.
> >> Sounds a lot like the standard HTML filter.
> >The real issue I have with all these damned things is that escaping
> >isn't done by default. As abhorrent as HTML::Mason otherwise is, it
> >does have the option of turning on HTML escaping by default. This is a
> >superb help towards stopping cross-site scripting attacks.
> >Database users learnt to use placeholders years ago when they realised
> >that manually quoting things was a pain in the posterior. Why can't web
> >frameworks do the same?
> > Mixing code and data like that requires a lot of discipline to keep
> >things clean. I don't have that discipline.
> Tatsuhiko Miyagawa
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key B1CCF88E)
More information about the london.pm