PHP - security etc
Andy Armstrong
andy at hexten.net
Thu Mar 8 20:01:31 GMT 2007
On 8 Mar 2007, at 19:40, Aaron Trevena wrote:
> On 07/03/07, Paul Makepeace <paulm at paulm.com> wrote:
>> The conclusion I got from
>> reading between lines on catalyst, templates, and london.pm is that
>> Perl just doesn't have decent HTML+template+escaping yet either.
>
> Depends what you want - if you only want to allow what you consider
> safe html, then it *is* trivial in TT, just pass a filtering sub to TT
> constructor, or use the HTML filter.
>
> my $t = Template->new({ .... , FILTERS => { safe_html =>
> \&my_escape_function } });
>
> and hey presto :
>
> [% foo.user_entered_text | html %]
> or
> [% foo.user_entered_html | safe_html %] or
>
> Works for me - I'm using something like this to escape data for LaTeX.
Interestingly this debate - much has I dislike PHP - has given me the
germ of a clue as to why the damn thing is so popular.
If /we/ [1] can't agree on the right way to do it in Perl who the
hell can?
If mod_perl dropped out of the box with a PHP like embedding
mechanism that was turned on by default - so you could just create
index.mp and start mucking around - then it might be a hell of a lot
more popular. Hell, if it did that I'd be more inclined to use it for
quick and dirty web stuff.
[1] With due respect to everyone too dim to be on this list.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list