PHP - security etc

Andy Armstrong andy at
Thu Mar 8 20:01:31 GMT 2007

On 8 Mar 2007, at 19:40, Aaron Trevena wrote:

> On 07/03/07, Paul Makepeace <paulm at> wrote:
>> The conclusion I got from
>> reading between lines on catalyst, templates, and is that
>> Perl just doesn't have decent HTML+template+escaping yet either.
> Depends what you want - if you only want to allow what you consider
> safe html, then it *is* trivial in TT, just pass a filtering sub to TT
> constructor, or use the HTML filter.
> my $t = Template->new({ .... , FILTERS => { safe_html =>
> \&my_escape_function } });
> and hey presto :
> [% foo.user_entered_text | html %]
> or
> [% foo.user_entered_html | safe_html %] or
> Works for me - I'm using something like this to escape data for LaTeX.

Interestingly this debate - much has I dislike PHP - has given me the  
germ of a clue as to why the damn thing is so popular.

If /we/ [1] can't agree on the right way to do it in Perl who the  
hell can?

If mod_perl dropped out of the box with a PHP like embedding  
mechanism that was turned on by default - so you could just create and start mucking around - then it might be a hell of a lot  
more popular. Hell, if it did that I'd be more inclined to use it for  
quick and dirty web stuff.

[1] With due respect to everyone too dim to be on this list.

Andy Armstrong,

More information about the mailing list