Is layered-escaping that is needed, or can we simply make a new escape module called, say "HTML_JS"

Mathew

Alex Kapranoff wrote:
* Philip Tellis <philip.tellis@gmx.net> [October 18 2005, 16:02]:
  
s/pretty hard/impossible/;
That's why there's only 1 _default_.
      
Oh well, "Perl is designed to make the easy jobs easy, without making 
the hard jobs impossible."

I'd hoped that it was also, "... make impossible jobs pretty hard"
    

BTW, "double" or "layered" escaping is a very wanted feature.

See:
======
<script>
item.innerHTML = "<strong><TMPL_VAR new_content></strong>";
</script>
======

This var needs first HTML, then JS escaping (in that order) or else
the code is likely just plain insecure. This task is not solved right
now.