Template::Plugin::XML::Escape

Toby Corkindale tjc at wintrmute.net
Tue Jul 4 15:57:31 BST 2006


On Sat, Jun 17, 2006 at 07:10:14PM +0900, Tatsuhiko Miyagawa wrote:
> There is a Template Stash plugin to change the stash befavior to do
> HTML escape by default.
> http://search.cpan.org/~ikebe/Template-Stash-EscapeHTML-0.01/
> 
> You can write unhtml filter to revert it back when you really don't
> want to escape.

Cheers, definately was worth a look.

-Toby

> On 6/16/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> >On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross wrote:
> >> Quoting Toby Corkindale <tjc at wintrmute.net>:
> >>
> >> >Maybe I've just re-invented the wheel, but in case I haven't, there's a
> >> >very
> >> >simple little module I've just uploaded to CPAN:
> >> >Template::Plugin::XML::Escape
> >> >
> >> >It just escapes the naughty <>'"& characters into XML entities.
> >>
> >> Sounds a lot like the standard HTML filter.
> >>
> >> 
> >http://search.cpan.org/dist/Template-Toolkit/lib/Template/Manual/Filters.pod#html
> >
> >The real issue I have with all these damned things is that escaping
> >isn't done by default.  As abhorrent as HTML::Mason otherwise is[1], it
> >does have the option of turning on HTML escaping by default.  This is a
> >superb help towards stopping cross-site scripting attacks.
> >
> >Database users learnt to use placeholders years ago when they realised
> >that manually quoting things was a pain in the posterior.  Why can't web
> >frameworks do the same?
> >
> >-Dom
> >
> >[1] Mixing code and data like that requires a lot of discipline to keep
> >things clean.  I don't have that discipline.
> >
> 
> 
> -- 
> Tatsuhiko Miyagawa

-- 
Turning and turning in the widening gyre/The falcon cannot hear the falconer;
Things fall apart, the centre cannot hold/Mere anarchy is loosed upon the world
(gpg --keyserver www.co.uk.pgp.net --recv-key B1CCF88E)


More information about the london.pm mailing list