Bug in URI ?!
Dominic Mitchell
dom at happygiraffe.net
Wed Aug 16 21:59:29 BST 2006
Jonathan Stowe wrote:
> On Wed, 2006-08-16 at 12:58, Dominic Mitchell wrote:
>> On Wed, Aug 16, 2006 at 09:57:11AM +0100, Aaron Trevena wrote:
>>> On 16/08/06, Jonathan Stowe <jns at gellyfish.com> wrote:
>>>> On Wed, 2006-08-16 at 08:44, Dominic Mitchell wrote:
>>>>> templating systems did HTML escaping by default
>>>> ... and consequently destroying the carefully crafted Postscript, RTF,
>>>> LaTeX or whatever else one might be trying to output.
>> Then turn the default the other way. I'm willing to bet that these are
>> fairly minority uses compared to web templating.
>>
>>> Exactly - what's wrong with [% value | html %] ?
>>>
>>> Works for me
>> It works, but you're an expert web programmer with years of experience.
>> You know to put it there.
>>
>> And I bet that were I to look at some of your source code to a web site,
>> you'll have missed at least one. And that's quite likely to be a cross
>> site scripting security hole waiting to happen.
>>
>> Why are you opposed to making the tools work according to spec?
>
> Obviously it's a bug in Perl, it would of course be reasonable to expect
> that the encoding is done by the default IOLayer. Of course a "no
> htmlencode" pragma will be grudgingly provided for the minority of code
> that isn't a web application.
Come on, don't be silly. Perl isn't sold as a web templating language.
-Dom
More information about the london.pm
mailing list