Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
From: Shlomi F. <sh...@ig...> - 2006-11-15 19:22:36
|
On Thursday 26 October 2006 01:07, Jonathan Lang wrote: > Shlomi Fish wrote: > > Having read the thread, I don't think that's enough for me. I want to > > still need to explicitly specify "ESCAPE=HTML" everywhere (without having > > a default escape), to have an exception raised on a non-escaped > > occurence, and to add an explicit unescaping (like "ESCAPE="0""). > > Let me see if I've got this straight: you want to force the template > writer to include "ESCAPE=something" in every TMPL_VAR, where > "something" can be "HTML", "URL", or a value indicating "no escapes" > (say, "TEXT"); failure to do so would cause a catchable error in your > script when you try to evaluate the template. Right? > Yes. > > So I guess I'm going to fire up my editor and write an HTML::Template > > sub-class. > > Probably. May I suggest a form for your subclass to take? Let > "default_escape" contain two additional values: "TEXT" (which means > the same as "0" above, and can also be used in 'ESCAPE=' to override > the default with no escaping), and "NONE" (which throws an exception > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > to an appropriate default_escape value once transition to the new code > is complete. OK. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |