PHP - security etc

Aaron Trevena aaron.trevena at
Thu Mar 8 20:10:05 GMT 2007

On 08/03/07, Aaron Trevena <aaron.trevena at> wrote:
> On 07/03/07, Paul Makepeace <paulm at> wrote:
> > The conclusion I got from
> > reading between lines on catalyst, templates, and is that
> > Perl just doesn't have decent HTML+template+escaping yet either.
> Depends what you want - if you only want to allow what you consider
> safe html, then it *is* trivial in TT, just pass a filtering sub to TT
> constructor, or use the HTML filter.

Actually, I think Paul's argument is a straw man, escaping is to do
with handling formats of data, so that is displayed correctly - XSS,
etc should be prevented at the point of entry, not at the last minute
before being displayed to the user when generating templated output.

So it's not a case of, HTML+template+escaping, it's a case of decent
validation, which means using stuff like Data::FormValidator in
combination with specialised filters for XSS, etc of which CPAN has

So Paul is wrong on both counts - Templates + escaping (whether it's
HTML, XML or even LaTeX) is just dandy thanks, and XSS is also
managable using tools available on CPAN like XSS::Lint,
HTML::TagFilter, and XSS HTML::StripScripts packages.

I'm sure this myth about a vital missing feature has been debunked here already.


LAMP System Integration, Development and Hosting

More information about the mailing list