Thread: [htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
From: Mark S. <ma...@su...> - 2005-10-14 14:43:32
|
Hello, I'm curious about what other people think about an option to turn ESCAPE=HTML on default, to protect against cross script scripting practices by default. This seems especially valuable when the convenient "associate => $q" option is used. Then programmers would be forcing themselves to consciously add "NOESCAPE=html" to a tag. To me, this seems like the equivalent of turning "use strict" on by default, and explicitly declaring "no strict" where needed. Thoughts? Mark |
From: Alex K. <ka...@ra...> - 2005-10-14 14:48:55
|
* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]: > I'm curious about what other people think about an option to > turn ESCAPE=HTML on default, to protect against cross script scripting > practices by default. > > This seems especially valuable when the convenient "associate => $q" > option is used. > > Then programmers would be forcing themselves to consciously add > "NOESCAPE=html" to a tag. > > To me, this seems like the equivalent of turning "use strict" on by > default, and explicitly declaring "no strict" where needed. > > Thoughts? All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html" looks very confusing. Should probably be "ESCAPE=none". -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Roger B. W. <ro...@fi...> - 2005-10-14 15:12:14
|
On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote: >* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]: >> I'm curious about what other people think about an option to >> turn ESCAPE=HTML on default, to protect against cross script scripting >> practices by default. >All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html" >looks very confusing. Should probably be "ESCAPE=none". Agreed, and that's a better option - remembering that we have ESCAPE=url as a possible mode as well, and others in extension modules. default_escape_mode would make sense as a parameter name. R |
From: Mark S. <ma...@su...> - 2005-10-14 15:26:24
|
On 2005-10-14, Roger Burton West <ro...@fi...> wrote: > On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote: >>* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]: >>> I'm curious about what other people think about an option to >>> turn ESCAPE=HTML on default, to protect against cross script scripting >>> practices by default. >>All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html" >>looks very confusing. Should probably be "ESCAPE=none". You are right. Thanks for the refinement. Mark |
From: Paul B. <pb...@wh...> - 2005-10-14 16:51:39
|
On Oct 14, 2005, at 9:37 AM, Mark Stosberg wrote: > I'm curious about what other people think about an option to > turn ESCAPE=3DHTML on default, to protect against cross script = scripting > practices by default. OMG YES!! 95% of all my vars have ESCAPE=3DHTML on them. Making this the=20= default would take away a lot of extra typing. But to turn it off for=20 the 5% I don't need escaped, ESCAPE=3D0 or ESCAPE=3DNONE or ESCAPE=3DNO = would=20 be better. --=20 Paul Baker "Yes, we did produce a near-perfect republic. But will they keep it? Or=20= will they, in the enjoyment of plenty, lose the memory of freedom?=94 -- Thomas Jefferson in a letter to John Adams GPG Key: http://homepage.mac.com/pauljbaker/public.asc |
From: Sam T. <sa...@tr...> - 2005-10-14 17:05:39
|
On Fri, 14 Oct 2005, Mark Stosberg wrote: > I'm curious about what other people think about an option to > turn ESCAPE=HTML on default, to protect against cross script scripting > practices by default. Sure, sounds reasonable to me. -sam |
From: Mathew R. <mat...@ne...> - 2005-10-16 23:48:37
|
If this is going to happen, can we make it optional, as some of us dont want escaping. Mathew >>I'm curious about what other people think about an option to >>turn ESCAPE=HTML on default, to protect against cross script scripting >>practices by default. >> >> >Sure, sounds reasonable to me. > > |
From: Mike <mik...@op...> - 2005-10-17 00:07:19
|
I think that would be a good idea. Perhaps have an extra parameter when creating a new template object such as html_escape: my $template = HTML::Template->new(filename=>'filename.tmpl', html_escape=>1); ...to turn all escaping for that object on by default. If the programmer wanted the existing default (no escaping) then leave that parameter out during object creation. And still have the current ability to turn escaping on (ESCAPE=HTML or ESCAPE=1) or off (ESCAPE=0) within the template file. Mike. ----- Original Message ----- From: "Mathew Robertson" <mat...@ne...> To: <htm...@li...> Sent: Monday, October 17, 2005 9:46 AM Subject: Re: [htmltmpl] option to turn ESCAPE=HTML on by default > If this is going to happen, can we make it optional, as some of us dont > want escaping. > > Mathew > >>>I'm curious about what other people think about an option to >>>turn ESCAPE=HTML on default, to protect against cross script scripting >>>practices by default. >>Sure, sounds reasonable to me. >> > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users |
From: Roger B. W. <ro...@fi...> - 2005-10-17 03:10:36
|
On Mon, Oct 17, 2005 at 10:08:13AM +1000, Mike wrote: >my $template = HTML::Template->new(filename=>'filename.tmpl', >html_escape=>1); Orthogonality, please: escape => 'html' just as we have ESCAPE=HTML in the templates. Remember that there also exists ESCAPE=URL, and I'm sure various people have mentioned add-on ESCAPE filters. Roger |
From: Alex K. <ka...@ra...> - 2005-10-17 10:56:02
|
* Roger Burton West <ro...@fi...> [October 17 2005, 07:10]: > >my $template = HTML::Template->new(filename=>'filename.tmpl', > >html_escape=>1); > > Orthogonality, please: > escape => 'html' > > just as we have ESCAPE=HTML in the templates. One name, one function, please :) default_escape => 'html'. Patch below, with tests. diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm --- /tmp/HTML-Template-2.7/Template.pm Fri Jun 18 21:42:06 2004 +++ HTML-Template-2.7/Template.pm Mon Oct 17 14:43:36 2005 @@ -955,6 +955,7 @@ no_includes => 0, case_sensitive => 0, filter => [], + default_template => undef, ); # load in options supplied to new() @@ -1076,6 +1077,12 @@ $self->{cache} = \%cache; } + if ($options->{default_escape}) { + unless ($options->{default_escape} =~ s/^(html|url|js)$/uc($1)/ie) { + croak("Wrong default_escape specified: \"$options->{default_escape}\"."); + } + } + print STDERR "### HTML::Template Memory Debug ### POST CACHE INIT ", $self->{proc_mem}->size(), "\n" if $options->{memory_debug}; @@ -1952,7 +1959,7 @@ $which = uc($1); # which tag is it - $escape = defined $5 ? $5 : defined $15 ? $15 : 0; # escape set? + $escape = defined $5 ? $5 : defined $15 ? $15 : defined $options->{default_escape} ? $options->{default_escape} : 0; # escape set? # what name for the tag? undef for a /tag at most, one of the # following three will be defined diff -ruN /tmp/HTML-Template-2.7/t/99-old-test-pl.t HTML-Template-2.7/t/99-old-test-pl.t --- /tmp/HTML-Template-2.7/t/99-old-test-pl.t Fri Jun 18 21:34:59 2004 +++ HTML-Template-2.7/t/99-old-test-pl.t Mon Oct 17 14:54:18 2005 @@ -795,7 +795,7 @@ ok($output =~ /I AM INNER 2/); # test javascript escaping -$template = $template = HTML::Template->new(path => ['templates'], +$template = HTML::Template->new(path => ['templates'], filename => 'js.tmpl'); $template->param(msg => qq{"He said 'Hello'.\n\r"}); $output = $template->output(); @@ -807,3 +807,24 @@ }; like($@, qr/empty filename/); +# test default escaping +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'UrL'); +$template->param(STUFF => q{Joined with space}); +$output = $template->output(); +is($output, q{Joined%20with%20space} . "\n"); + +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'html'); +$template->param(STUFF => q{Joined&with"cruft}); +$output = $template->output(); +is($output, q{Joined&with"cruft} . "\n"); + +eval { +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'wml'); +}; +like($@, qr/Wrong default_escape/); diff -ruN /tmp/HTML-Template-2.7/templates/default_escape.tmpl HTML-Template-2.7/templates/default_escape.tmpl --- /tmp/HTML-Template-2.7/templates/default_escape.tmpl Thu Jan 1 03:00:00 1970 +++ HTML-Template-2.7/templates/default_escape.tmpl Mon Oct 17 14:47:39 2005 @@ -0,0 +1 @@ +<TMPL_VAR STUFF> -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Sam T. <sa...@tr...> - 2005-10-17 17:49:35
|
On Mon, 17 Oct 2005, Alex Kapranoff wrote: > One name, one function, please :) > default_escape => 'html'. > > Patch below, with tests. Very cool. > diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm > --- /tmp/HTML-Template-2.7/Template.pm Fri Jun 18 21:42:06 2004 > +++ HTML-Template-2.7/Template.pm Mon Oct 17 14:43:36 2005 > @@ -955,6 +955,7 @@ > no_includes => 0, > case_sensitive => 0, > filter => [], > + default_template => undef, That should be "default_template" though, right? Also, I haven't checked it, but I think you might need to add some code to makes sure this setting is inherited by loops. I'm only half-sure about that though, so don't be surprised if I'm wrong! -sam |
From: Alex K. <ka...@ra...> - 2005-10-18 10:41:34
|
* Sam Tregar <sa...@tr...> [October 17 2005, 21:49]: > > diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm > > --- /tmp/HTML-Template-2.7/Template.pm Fri Jun 18 21:42:06 2004 > > +++ HTML-Template-2.7/Template.pm Mon Oct 17 14:43:36 2005 > > @@ -955,6 +955,7 @@ > > no_includes => 0, > > case_sensitive => 0, > > filter => [], > > + default_template => undef, > > That should be "default_template" though, right? Braino. You're of course right, that should read default_escape :) > Also, I haven't checked it, but I think you might need to add some > code to makes sure this setting is inherited by loops. I'm only > half-sure about that though, so don't be surprised if I'm wrong! I added tests for loops and includes, they seem to succeed. Updated patch below. diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm --- /tmp/HTML-Template-2.7/Template.pm Fri Jun 18 21:42:06 2004 +++ HTML-Template-2.7/Template.pm Tue Oct 18 14:24:57 2005 @@ -955,6 +955,7 @@ no_includes => 0, case_sensitive => 0, filter => [], + default_escape => undef, ); # load in options supplied to new() @@ -1076,6 +1077,12 @@ $self->{cache} = \%cache; } + if ($options->{default_escape}) { + unless ($options->{default_escape} =~ s/^(html|url|js)$/uc($1)/ie) { + croak("Wrong default_escape specified: \"$options->{default_escape}\"."); + } + } + print STDERR "### HTML::Template Memory Debug ### POST CACHE INIT ", $self->{proc_mem}->size(), "\n" if $options->{memory_debug}; @@ -1952,7 +1959,8 @@ $which = uc($1); # which tag is it - $escape = defined $5 ? $5 : defined $15 ? $15 : 0; # escape set? + $escape = defined $5 ? $5 : defined $15 ? $15 + : (defined $options->{default_escape} && $which eq 'TMPL_VAR') ? $options->{default_escape} : 0; # escape set? # what name for the tag? undef for a /tag at most, one of the # following three will be defined diff -ruN /tmp/HTML-Template-2.7/t/99-old-test-pl.t HTML-Template-2.7/t/99-old-test-pl.t --- /tmp/HTML-Template-2.7/t/99-old-test-pl.t Fri Jun 18 21:34:59 2004 +++ HTML-Template-2.7/t/99-old-test-pl.t Tue Oct 18 14:35:51 2005 @@ -795,7 +795,7 @@ ok($output =~ /I AM INNER 2/); # test javascript escaping -$template = $template = HTML::Template->new(path => ['templates'], +$template = HTML::Template->new(path => ['templates'], filename => 'js.tmpl'); $template->param(msg => qq{"He said 'Hello'.\n\r"}); $output = $template->output(); @@ -807,3 +807,32 @@ }; like($@, qr/empty filename/); +# test default escaping + +ok(exists $template->{options}->{default_escape} && !defined $template->{options}->{default_escape}, "default default_escape"); + +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'UrL'); +is($template->{options}->{default_escape}, 'URL'); +$template->param(STUFF => q{Joined with space}); +$output = $template->output(); +like($output, qr{^Joined%20with%20space}); + +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'html'); +$template->param(STUFF => q{Joined&with"cruft}); +$template->param(LOOP => [ { MORE_STUFF => '<&>' }, { MORE_STUFF => '>&<' } ]); +$template->param(a => '<b>'); +$output = $template->output(); +like($output, qr{^Joined&with"cruft}); +like($output, qr{<&>>&<}); +like($output, qr{because it's <b>}); + +eval { +$template = HTML::Template->new(path => ['templates'], + filename => 'default_escape.tmpl', + default_escape => 'wml'); +}; +like($@, qr/Wrong default_escape/); diff -ruN /tmp/HTML-Template-2.7/templates/default_escape.tmpl HTML-Template-2.7/templates/default_escape.tmpl --- /tmp/HTML-Template-2.7/templates/default_escape.tmpl Thu Jan 1 03:00:00 1970 +++ HTML-Template-2.7/templates/default_escape.tmpl Tue Oct 18 14:33:49 2005 @@ -0,0 +1,4 @@ +<TMPL_VAR STUFF> +<TMPL_LOOP LOOP><TMPL_VAR MORE_STUFF></TMPL_LOOP> + +be<TMPL_INCLUDE default.tmpl> -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Mike <mik...@op...> - 2005-10-18 11:05:21
|
Sorry to be a pain here, but given that there is also a ESCAPE=URL option (as Roger pointed out), would it be better to revert back to my original suggestion of setting 'html_escape' (and now 'url_escape') to 1 (or ON) in the constructor if they are to be defaults for the template file? Exactly what they are called I don't mind, but since there are 2 escaping options in H::T, using 'default_escape' could be ambiguous. Alex's patch seems to work well for the html escaping. Perhaps include a default url escaping option for completeness. Mike. > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users |
From: Alex K. <ka...@ra...> - 2005-10-18 11:14:01
|
Mike, default_escape can be set to 'URL' or even 'JS' (there's Javascript escaping in recent HTML::Template too). That's even tested in my patch. I use non-html escapings a lot myself and that's why I did it this way. * Mike <mik...@op...> [October 18 2005, 15:05]: > Sorry to be a pain here, but given that there is also a ESCAPE=URL option > (as Roger pointed out), would it be better to revert back to my original > suggestion of setting 'html_escape' (and now 'url_escape') to 1 (or ON) in > the constructor if they are to be defaults for the template file? Exactly > what they are called I don't mind, but since there are 2 escaping options > in H::T, using 'default_escape' could be ambiguous. > > Alex's patch seems to work well for the html escaping. Perhaps include a > default url escaping option for completeness. > > Mike. -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Philip T. <phi...@gm...> - 2005-10-18 11:27:58
|
Sometime Today, AK cobbled together some glyphs to say: > Mike, default_escape can be set to 'URL' or even 'JS' (there's > Javascript escaping in recent HTML::Template too). That's even tested Consider this: If I have some code in my template that needs to be html escaped, and other code that needs to be js escaped, and I want both to be on by default. It makes sense therefore to do this: html_escape => 1, js_escape => 1, foo_escape => 0 Of course, it's pretty hard to figure out which TMPL_VARs need to be escaped in each way. It's also hard to extend this with sanity. Philip -- The sooner our happiness together begins, the longer it will last. -- Miramanee, "The Paradise Syndrome", stardate 4842.6 |
From: Mike <mik...@op...> - 2005-10-18 11:35:25
|
Yes, I realise this now. My apologies for confusing the matter. Mike. ----- Original Message ----- From: "Philip Tellis" <phi...@gm...> To: "HTML::Template List" <htm...@li...> Sent: Tuesday, October 18, 2005 9:27 PM Subject: Re: [htmltmpl] option to turn ESCAPE=HTML on by default > Sometime Today, AK cobbled together some glyphs to say: > >> Mike, default_escape can be set to 'URL' or even 'JS' (there's >> Javascript escaping in recent HTML::Template too). That's even tested > > Consider this: > > If I have some code in my template that needs to be html escaped, and > other code that needs to be js escaped, and I want both to be on by > default. > > It makes sense therefore to do this: > > html_escape => 1, js_escape => 1, foo_escape => 0 > > Of course, it's pretty hard to figure out which TMPL_VARs need to be > escaped in each way. It's also hard to extend this with sanity. > > Philip > > -- > The sooner our happiness together begins, the longer it will last. > -- Miramanee, "The Paradise Syndrome", stardate 4842.6 > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Html-template-users mailing list > Htm...@li... > https://lists.sourceforge.net/lists/listinfo/html-template-users |
From: Carl F. <fir...@gm...> - 2005-10-18 11:40:27
|
On 18/10/05, Philip Tellis <phi...@gm...> wrote: > I want both to be on by > default. There can only be 1 _default_, by definition > It makes sense therefore to do this: > > html_escape =3D> 1, js_escape =3D> 1, foo_escape =3D> 0 > Of course, it's pretty hard to figure out which TMPL_VARs need to be > escaped in each way. It's also hard to extend this with sanity. s/pretty hard/impossible/; That's why there's only 1 _default_. If there's going to be more HTML vars than URL's, then set default to HTML, and manually set each URL var to ESCAPE=3DURL - or vise-versa - it's still less work to do that before. Carl |
From: Philip T. <phi...@gm...> - 2005-10-18 12:02:56
|
Sometime Today, CF cobbled together some glyphs to say: > s/pretty hard/impossible/; > That's why there's only 1 _default_. Oh well, "Perl is designed to make the easy jobs easy, without making the hard jobs impossible." I'd hoped that it was also, "... make impossible jobs pretty hard" -- The debate rages on: Is PL/I Bachtrian or Dromedary? |
From: Alex K. <ka...@ra...> - 2005-10-18 12:25:50
|
* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]: > >s/pretty hard/impossible/; > >That's why there's only 1 _default_. > > Oh well, "Perl is designed to make the easy jobs easy, without making > the hard jobs impossible." > > I'd hoped that it was also, "... make impossible jobs pretty hard" BTW, "double" or "layered" escaping is a very wanted feature. See: ====== <script> item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; </script> ====== This var needs first HTML, then JS escaping (in that order) or else the code is likely just plain insecure. This task is not solved right now. -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Mathew R. <mat...@ne...> - 2005-10-20 04:24:45
|
Is layered-escaping that is needed, or can we simply make a new escape module called, say "HTML_JS" Mathew Alex Kapranoff wrote: >* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]: > > >>>s/pretty hard/impossible/; >>>That's why there's only 1 _default_. >>> >>> >>Oh well, "Perl is designed to make the easy jobs easy, without making >>the hard jobs impossible." >> >>I'd hoped that it was also, "... make impossible jobs pretty hard" >> >> > >BTW, "double" or "layered" escaping is a very wanted feature. > >See: >====== ><script> >item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; ></script> >====== > >This var needs first HTML, then JS escaping (in that order) or else >the code is likely just plain insecure. This task is not solved right >now. > > > |
From: Alex K. <ka...@ra...> - 2005-10-24 11:01:43
|
You are right, that would suffice. But as far as I understand, making escape modules is not trivial. Escaping is not abstracted enough inside HTML::Template. * Mathew Robertson <mat...@ne...> [October 20 2005, 08:22]: > Is layered-escaping that is needed, or can we simply make a new escape > module called, say "HTML_JS" > > Mathew > > Alex Kapranoff wrote: > > >* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]: > > > > > >>>s/pretty hard/impossible/; > >>>That's why there's only 1 _default_. > >>> > >>> > >>Oh well, "Perl is designed to make the easy jobs easy, without making > >>the hard jobs impossible." > >> > >>I'd hoped that it was also, "... make impossible jobs pretty hard" > >> > >> > > > >BTW, "double" or "layered" escaping is a very wanted feature. > > > >See: > >====== > ><script> > >item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; > ></script> > >====== > > > >This var needs first HTML, then JS escaping (in that order) or else > >the code is likely just plain insecure. This task is not solved right > >now. > > > > > > -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |
From: Mathew R. <mat...@ne...> - 2005-10-25 23:12:46
|
hehe - then you haven't tried my version of H::T ... I modified H::T so that it dynamically loads the appropriate escape module -> you simply do this: package HTML::Template::ESCAPE::HTML_JS; use HTML::Template::ESCAPE; $HTML::Template::ESCAPE::HTML_JS::VERSION = '1.0'; sub output { my $self = shift; $_ = shift if (@_ > 0); ...blah... $_; } then save the file somewhere in your PERL5LIB directory list. Mathew Alex Kapranoff wrote: >You are right, that would suffice. But as far as I understand, making >escape modules is not trivial. Escaping is not abstracted enough inside >HTML::Template. > >* Mathew Robertson <mat...@ne...> [October 20 2005, 08:22]: > > >>Is layered-escaping that is needed, or can we simply make a new escape >>module called, say "HTML_JS" >> >>Mathew >> >>Alex Kapranoff wrote: >> >> >> >>>* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]: >>> >>> >>> >>> >>>>>s/pretty hard/impossible/; >>>>>That's why there's only 1 _default_. >>>>> >>>>> >>>>> >>>>> >>>>Oh well, "Perl is designed to make the easy jobs easy, without making >>>>the hard jobs impossible." >>>> >>>>I'd hoped that it was also, "... make impossible jobs pretty hard" >>>> >>>> >>>> >>>> >>>BTW, "double" or "layered" escaping is a very wanted feature. >>> >>>See: >>>====== >>><script> >>>item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; >>></script> >>>====== >>> >>>This var needs first HTML, then JS escaping (in that order) or else >>>the code is likely just plain insecure. This task is not solved right >>>now. >>> >>> >>> >>> >>> > > > |
From: Carl F. <fir...@gm...> - 2005-10-18 13:14:13
|
On 18/10/05, Philip Tellis <phi...@gm...> wrote: > Oh well, "Perl is designed to make the easy jobs easy, without making > the hard jobs impossible." > > I'd hoped that it was also, "... make impossible jobs pretty hard" touch=E9 :) A new option to allow HTML::Template to load up HTML::Parser and decide itself which escaping to use? Carl |
From: Sam T. <sa...@tr...> - 2005-12-21 22:59:33
|
On Tue, 18 Oct 2005, Alex Kapranoff wrote: > I added tests for loops and includes, they seem to succeed. Updated > patch below. Applied for 2.8, which is coming soon by the way! Thanks, -sam |
From: Alex K. <ka...@ra...> - 2005-12-22 12:21:11
|
* Sam Tregar <sa...@tr...> [December 22 2005, 01:59]: > > I added tests for loops and includes, they seem to succeed. Updated > >patch below. > > Applied for 2.8, which is coming soon by the way! That's nice, thanks! Too bad I was late to send additional ESCAPE=none (as a synonym for ESCAPE=0) patch for completeness. It was sleeping time over here between your two mails -- this and release announcement :) -- Alex Kapranoff, $n=["1another7Perl213Just3hacker49"=~/\d|\D*/g]; $$n[0]={grep/\d/,@$n};print"@$n{1..4}\n" |