Bug in URI ?!
Jonathan Stowe
jns at gellyfish.com
Wed Aug 16 13:27:03 BST 2006
On Wed, 2006-08-16 at 12:58, Dominic Mitchell wrote:
> On Wed, Aug 16, 2006 at 09:57:11AM +0100, Aaron Trevena wrote:
> > On 16/08/06, Jonathan Stowe <jns at gellyfish.com> wrote:
> > >On Wed, 2006-08-16 at 08:44, Dominic Mitchell wrote:
> > >> templating systems did HTML escaping by default
> > >
> > >... and consequently destroying the carefully crafted Postscript, RTF,
> > >LaTeX or whatever else one might be trying to output.
>
> Then turn the default the other way. I'm willing to bet that these are
> fairly minority uses compared to web templating.
>
> > Exactly - what's wrong with [% value | html %] ?
> >
> > Works for me
>
> It works, but you're an expert web programmer with years of experience.
> You know to put it there.
>
> And I bet that were I to look at some of your source code to a web site,
> you'll have missed at least one. And that's quite likely to be a cross
> site scripting security hole waiting to happen.
>
> Why are you opposed to making the tools work according to spec?
Obviously it's a bug in Perl, it would of course be reasonable to expect
that the encoding is done by the default IOLayer. Of course a "no
htmlencode" pragma will be grudgingly provided for the minority of code
that isn't a web application.
/J\
--
This e-mail is sponsored by http://www.integration-house.com/
More information about the london.pm
mailing list