html-template-users Mailing List for HTML::Template (Page 16)
Brought to you by:
samtregar
Menu
▾
▴
html-template-users — Discussion of HTML::Template and related modules
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(42) |
Jul
(80) |
Aug
(77) |
Sep
(97) |
Oct
(65) |
Nov
(80) |
Dec
(39) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(63) |
Feb
(47) |
Mar
(45) |
Apr
(63) |
May
(67) |
Jun
(51) |
Jul
(78) |
Aug
(37) |
Sep
(45) |
Oct
(59) |
Nov
(50) |
Dec
(70) |
| 2004 |
Jan
(23) |
Feb
(90) |
Mar
(37) |
Apr
(53) |
May
(111) |
Jun
(71) |
Jul
(35) |
Aug
(58) |
Sep
(35) |
Oct
(35) |
Nov
(35) |
Dec
(20) |
| 2005 |
Jan
(51) |
Feb
(19) |
Mar
(20) |
Apr
(8) |
May
(26) |
Jun
(14) |
Jul
(49) |
Aug
(24) |
Sep
(20) |
Oct
(49) |
Nov
(17) |
Dec
(53) |
| 2006 |
Jan
(12) |
Feb
(26) |
Mar
(45) |
Apr
(19) |
May
(19) |
Jun
(13) |
Jul
(11) |
Aug
(9) |
Sep
(10) |
Oct
(16) |
Nov
(17) |
Dec
(13) |
| 2007 |
Jan
(9) |
Feb
(12) |
Mar
(28) |
Apr
(33) |
May
(12) |
Jun
(12) |
Jul
(19) |
Aug
(4) |
Sep
(4) |
Oct
(5) |
Nov
(5) |
Dec
(13) |
| 2008 |
Jan
(6) |
Feb
(7) |
Mar
(14) |
Apr
(16) |
May
(3) |
Jun
(1) |
Jul
(12) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(9) |
| 2009 |
Jan
(9) |
Feb
|
Mar
(10) |
Apr
(1) |
May
|
Jun
(6) |
Jul
(5) |
Aug
(3) |
Sep
(7) |
Oct
(1) |
Nov
(15) |
Dec
(1) |
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
(9) |
May
|
Jun
|
Jul
(5) |
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(3) |
Mar
|
Apr
(28) |
May
|
Jun
|
Jul
(3) |
Aug
(4) |
Sep
(3) |
Oct
|
Nov
(8) |
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
(2) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
|
From: Shlomi F. <sh...@ig...> - 2006-11-16 11:18:06
|
On Thursday 16 November 2006 11:43, Shlomi Fish wrote: > On Wednesday 15 November 2006 22:59, Sam Tregar wrote: > > On Wed, 15 Nov 2006, Shlomi Fish wrote: > > > A question if I may. Why weren't the tests and other changes that > > > were done to the Phalanx work on HTML-Template: > > > > > > * http://svn.perl.org/phalanx/HTML-Template/ > > > * http://hew.ca/yapc/phalanx/slides/TABLE_OF_CONTENTS.html > > > > > > Integrated into the mainline HTML-Template at: > > > > > > https://svn.sourceforge.net/svnroot/html-template/ > > > > Lack of motivation, I suppose. As far as I know they never found or > > fixed a bug in HTML::Template. > > Well, the main point of a full test coverage is to prevent *future* bugs. > > > At this point their repo is out of > > date and it would be a painful process to do the merge. > > > > Patches welcome, of course. Beware though, I have a history of > > rejecting changes to existing tests - if it ain't broke... New tests > > are always welcome though! > > Check: > > http://www.shlomifish.org/Files/files/code/perl/HTML-Template/h-t-phalanx.d >iff.bz2 > > Took me exactly 10 minutes to forward port the patch from the Phalanx > repository. So it wasn't such a painful process. :-D > Hmmm... I spoke too soon. The first incarnation of the patch did not pass the tests. I now have a better patch at the same URL: http://www.shlomifish.org/Files/files/code/perl/HTML-Template/h-t-phalanx.diff.bz2 Please apply it instead. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Shlomi F. <sh...@ig...> - 2006-11-16 09:48:49
|
On Wednesday 15 November 2006 22:59, Sam Tregar wrote: > On Wed, 15 Nov 2006, Shlomi Fish wrote: > > A question if I may. Why weren't the tests and other changes that > > were done to the Phalanx work on HTML-Template: > > > > * http://svn.perl.org/phalanx/HTML-Template/ > > * http://hew.ca/yapc/phalanx/slides/TABLE_OF_CONTENTS.html > > > > Integrated into the mainline HTML-Template at: > > > > https://svn.sourceforge.net/svnroot/html-template/ > > Lack of motivation, I suppose. As far as I know they never found or > fixed a bug in HTML::Template. Well, the main point of a full test coverage is to prevent *future* bugs. > At this point their repo is out of > date and it would be a painful process to do the merge. > > Patches welcome, of course. Beware though, I have a history of > rejecting changes to existing tests - if it ain't broke... New tests > are always welcome though! Check: http://www.shlomifish.org/Files/files/code/perl/HTML-Template/h-t-phalanx.diff.bz2 Took me exactly 10 minutes to forward port the patch from the Phalanx repository. So it wasn't such a painful process. :-D Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Sam T. <sa...@tr...> - 2006-11-15 21:01:35
|
On Tue, 17 Oct 2006, Tom Heady wrote: > Actually, I found that turning off escaping (ESCAPE="0") does not work > if you specify a default escape. > > See http://rt.cpan.org/Public/Bug/Display.html?id=18274 for more details > and a fix. I'll make sure this gets into the next release. I'm planning to put one out soon. -sam |
|
From: Sam T. <sa...@tr...> - 2006-11-15 20:59:51
|
On Wed, 15 Nov 2006, Shlomi Fish wrote: > A question if I may. Why weren't the tests and other changes that > were done to the Phalanx work on HTML-Template: > > * http://svn.perl.org/phalanx/HTML-Template/ > * http://hew.ca/yapc/phalanx/slides/TABLE_OF_CONTENTS.html > > Integrated into the mainline HTML-Template at: > > https://svn.sourceforge.net/svnroot/html-template/ Lack of motivation, I suppose. As far as I know they never found or fixed a bug in HTML::Template. At this point their repo is out of date and it would be a painful process to do the merge. Patches welcome, of course. Beware though, I have a history of rejecting changes to existing tests - if it ain't broke... New tests are always welcome though! -sam |
|
From: Shlomi F. <sh...@ig...> - 2006-11-15 20:09:29
|
Hi all! A question if I may. Why weren't the tests and other changes that were done to the Phalanx work on HTML-Template: * http://svn.perl.org/phalanx/HTML-Template/ * http://hew.ca/yapc/phalanx/slides/TABLE_OF_CONTENTS.html Integrated into the mainline HTML-Template at: https://svn.sourceforge.net/svnroot/html-template/ I'd like to know that so I can proceed with writing the module I mentioned in the previous thread. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Shlomi F. <sh...@ig...> - 2006-11-15 19:26:39
|
On Thursday 26 October 2006 02:12, Mathew Robertson wrote: > >> Having read the thread, I don't think that's enough for me. I want to > >> still need to explicitly specify "ESCAPE=HTML" everywhere (without > >> having a default escape), to have an exception raised on a non-escaped > >> occurence, and to add an explicit unescaping (like "ESCAPE="0""). > > > > Let me see if I've got this straight: you want to force the template > > writer to include "ESCAPE=something" in every TMPL_VAR, where > > "something" can be "HTML", "URL", or a value indicating "no escapes" > > (say, "TEXT"); failure to do so would cause a catchable error in your > > script when you try to evaluate the template. Right? > > hmm... it doesn't sound right at all. Forcing the developer to > remember to have to type ESCAPE=... for every TMPL_VAR is just not > right. > > I personally forget to even use NAME=... and I just about never > quote the value either due to laziness. > > The reality is that people are lazy/forgetful/efficient - the > general idea in life is to make life easier, not harder. I'd > suggest just to use the functionality as is. ie: set default_escape > to whatever the default is; when no escape is necessary, then the > developer will explicitly say so. > In case you forget to do that, then perl will throw an exception and force you to add that. So you won't get something bad for your laziness/forgetfulness. Besides, this would be a sub-class of HTML::Template and no-one will be forced to use it. > >> So I guess I'm going to fire up my editor and write an HTML::Template > >> sub-class. > > > > Probably. May I suggest a form for your subclass to take? Let > > "default_escape" contain two additional values: "TEXT" (which means > > the same as "0" above, and can also be used in 'ESCAPE=' to override > > the default with no escaping), and "NONE" (which throws an exception > > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > > to an appropriate default_escape value once transition to the new code > > is complete. > > Please dont use "TEXT" to mean none - there is at least one filter > that has been posted on this list which is for 'text' documents. > ie: the filter is like the HTML filter, but also handles newlines & > carriage returns, etc. How about "NONE" or "NO" or "0" to mean 'no > escaping is necessary'. > > Also, "NONE" (as described above) should be "THROW" - the term is > common in computer science, lets use it. > I'll use NONE. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Shlomi F. <sh...@ig...> - 2006-11-15 19:22:36
|
On Thursday 26 October 2006 01:07, Jonathan Lang wrote: > Shlomi Fish wrote: > > Having read the thread, I don't think that's enough for me. I want to > > still need to explicitly specify "ESCAPE=HTML" everywhere (without having > > a default escape), to have an exception raised on a non-escaped > > occurence, and to add an explicit unescaping (like "ESCAPE="0""). > > Let me see if I've got this straight: you want to force the template > writer to include "ESCAPE=something" in every TMPL_VAR, where > "something" can be "HTML", "URL", or a value indicating "no escapes" > (say, "TEXT"); failure to do so would cause a catchable error in your > script when you try to evaluate the template. Right? > Yes. > > So I guess I'm going to fire up my editor and write an HTML::Template > > sub-class. > > Probably. May I suggest a form for your subclass to take? Let > "default_escape" contain two additional values: "TEXT" (which means > the same as "0" above, and can also be used in 'ESCAPE=' to override > the default with no escaping), and "NONE" (which throws an exception > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > to an appropriate default_escape value once transition to the new code > is complete. OK. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Dan H. <dan...@re...> - 2006-10-26 17:14:14
|
> From: htm...@li... [mailto:html- > tem...@li...] On Behalf Of Eric Frazier > > This is pretty topical for me, but a little off topic for HTML::Template.. > I was looking for a good example on how to do this filtering. In the Perl > world I found HTML::StripScripts > and it looked like a good idea at the time sort of thing, it just seemed > too good/complex for me. Like the best way to do things, but I don't have > time for that :) > Another option for santising input is HTML::Scrubber (http://search.cpan.org/dist/HTML-Scrubber/). I use it via the Data::FormValidator filter Data::FormValidator::Filters::HTMLScrubber to remove not just scripts but tags that I don't want users to supply (like "font"). Dan |
|
From: Eric F. <er...@dm...> - 2006-10-26 16:37:10
|
Hi, This is pretty topical for me, but a little off topic for HTML::Template.. I was looking for a good example on how to do this filtering. In the Perl world I found HTML::StripScripts and it looked like a good idea at the time sort of thing, it just seemed too good/complex for me. Like the best way to do things, but I don't have time for that :) I found this example in PHP and was trying to convert it to perl, got most of it working, but the last part I am a little baffled about what it is really for.. http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php Below is my version of the above, which skips that last set of loops. I get what they do, but I don't get why or in what circumstance that filtering is needed and I am not really sure why he breaks the tags instead of just removing them, maybe it is more for illustration that live use? The $val test in the script is from one of the many examples on http://ha.ckers.org/xss.html On another note. I was very happy to find mod_security which I am testing out now. My first thought had been to do something with an Apache module, because this kind of filtering I think belongs on the web server level not the application level, that seems so much safer to me when you have a bunch of code sitting around from various people that can't all be audited and kept that way, but then once I started looking into this I found mod_security already does this and is extremely configurable. One thing I was wondering about, if anyone has compiled this with PCRE I would love to know how you did it. One possible issue mentioned on their site says doing the module compile that way prevents some issues with certain types of reg exp.. Thanks, Eric use strict; use warnings; use Data::Dumper; use Data::Translate; my $trns = new Data::Translate; ##sub RemoveXSS { #my $val = shift; my $val = q!<IMG SRC=@avascript:alert('XSS')>!; my $search = undef; print "$val\n"; $val =~ s/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/ /g; print "$val >>> $` $& $'\n\n\n"; $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; my @search_arr=split(//,$search); foreach my $char(@search_arr){ my $bob1 = $trns->d2h(ord($char)); my $bob2 = ord($char); print "$char -- $bob1 --- \n"; $val =~ s/(&#[x|X]0{0,8}$bob1);?/$char/gi; print "***$val***\n"; $val =~ s/(�{0,8}$bob2);?/$char/gi; ## with a ; (&#[x|X]0{0,8} print "***$val******\n\n"; } my @ra = qw(javascript vbscript expression applet meta xml blink link style script embed object iframe frame frameset ilayer layer bgsound title base onabort onactivate onafterprint onafterupdate onbeforeactivate onbeforecopy onbeforecut onbeforedeactivate onbeforeeditfocus onbeforepaste onbeforeprint onbeforeunload onbeforeupdate onblur onbounce oncellchange onchange onclick oncontextmenu oncontrolselect oncopy oncut ondataavailable ondatasetchanged ondatasetcomplete ondblclick ondeactivate ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop onerror onerrorupdate onfilterchange onfinish onfocus onfocusin onfocusout onhelp onkeydown onkeypress onkeyup onlayoutcomplete onload onlosecapture onmousedown onmouseenter onmouseleave onmousemove onmouseout onmouseover onmouseup onmousewheel onmove onmoveend onmovestart onpaste onpropertychange onreadystatechange onreset onresize onresizeend onresizestart onrowenter onrowexit onrowsdelete onrowsinserted onscroll onselect onselectionchange onselectstart onstart onstop onsubmit onunload); foreach my $badword(@ra){ $val =~ s/$badword/<x>/gi; } print "####$val#####"; ## should print <IMG SRC=@avasc<x>ript:alert('XSS')> At 05:12 PM 25/10/2006, Mathew Robertson wrote: > >> Having read the thread, I don't think that's enough for me. I want to > still > >> need to explicitly specify "ESCAPE=HTML" everywhere (without having a > default > >> escape), to have an exception raised on a non-escaped occurence, and > to add > >> an explicit unescaping (like "ESCAPE="0""). > > > > Let me see if I've got this straight: you want to force the template > > writer to include "ESCAPE=something" in every TMPL_VAR, where > > "something" can be "HTML", "URL", or a value indicating "no escapes" > > (say, "TEXT"); failure to do so would cause a catchable error in your > > script when you try to evaluate the template. Right? > >hmm... it doesn't sound right at all. Forcing the developer to >remember to have to type ESCAPE=... for every TMPL_VAR is just not >right. > >I personally forget to even use NAME=... and I just about never >quote the value either due to laziness. > >The reality is that people are lazy/forgetful/efficient - the >general idea in life is to make life easier, not harder. I'd >suggest just to use the functionality as is. ie: set default_escape >to whatever the default is; when no escape is necessary, then the >developer will explicitly say so. > > >> So I guess I'm going to fire up my editor and write an HTML::Template > >> sub-class. > > > > Probably. May I suggest a form for your subclass to take? Let > > "default_escape" contain two additional values: "TEXT" (which means > > the same as "0" above, and can also be used in 'ESCAPE=' to override > > the default with no escaping), and "NONE" (which throws an exception > > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > > to an appropriate default_escape value once transition to the new code > > is complete. > >Please dont use "TEXT" to mean none - there is at least one filter >that has been posted on this list which is for 'text' documents. >ie: the filter is like the HTML filter, but also handles newlines & >carriage returns, etc. How about "NONE" or "NO" or "0" to mean 'no >escaping is necessary'. > >Also, "NONE" (as described above) should be "THROW" - the term is >common in computer science, lets use it. > >Mathew > >------------------------------------------------------------------------- >Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >_______________________________________________ >Html-template-users mailing list >Htm...@li... >https://lists.sourceforge.net/lists/listinfo/html-template-users |
|
From: Mathew R. <mat...@ne...> - 2006-10-26 00:12:04
|
>> Having read the thread, I don't think that's enough for me. I want to still >> need to explicitly specify "ESCAPE=HTML" everywhere (without having a default >> escape), to have an exception raised on a non-escaped occurence, and to add >> an explicit unescaping (like "ESCAPE="0""). > > Let me see if I've got this straight: you want to force the template > writer to include "ESCAPE=something" in every TMPL_VAR, where > "something" can be "HTML", "URL", or a value indicating "no escapes" > (say, "TEXT"); failure to do so would cause a catchable error in your > script when you try to evaluate the template. Right? hmm... it doesn't sound right at all. Forcing the developer to remember to have to type ESCAPE=... for every TMPL_VAR is just not right. I personally forget to even use NAME=... and I just about never quote the value either due to laziness. The reality is that people are lazy/forgetful/efficient - the general idea in life is to make life easier, not harder. I'd suggest just to use the functionality as is. ie: set default_escape to whatever the default is; when no escape is necessary, then the developer will explicitly say so. >> So I guess I'm going to fire up my editor and write an HTML::Template >> sub-class. > > Probably. May I suggest a form for your subclass to take? Let > "default_escape" contain two additional values: "TEXT" (which means > the same as "0" above, and can also be used in 'ESCAPE=' to override > the default with no escaping), and "NONE" (which throws an exception > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > to an appropriate default_escape value once transition to the new code > is complete. Please dont use "TEXT" to mean none - there is at least one filter that has been posted on this list which is for 'text' documents. ie: the filter is like the HTML filter, but also handles newlines & carriage returns, etc. How about "NONE" or "NO" or "0" to mean 'no escaping is necessary'. Also, "NONE" (as described above) should be "THROW" - the term is common in computer science, lets use it. Mathew |
|
From: Jonathan L. <dat...@gm...> - 2006-10-25 23:07:28
|
Shlomi Fish wrote: > Having read the thread, I don't think that's enough for me. I want to still > need to explicitly specify "ESCAPE=HTML" everywhere (without having a default > escape), to have an exception raised on a non-escaped occurence, and to add > an explicit unescaping (like "ESCAPE="0""). Let me see if I've got this straight: you want to force the template writer to include "ESCAPE=something" in every TMPL_VAR, where "something" can be "HTML", "URL", or a value indicating "no escapes" (say, "TEXT"); failure to do so would cause a catchable error in your script when you try to evaluate the template. Right? > So I guess I'm going to fire up my editor and write an HTML::Template > sub-class. Probably. May I suggest a form for your subclass to take? Let "default_escape" contain two additional values: "TEXT" (which means the same as "0" above, and can also be used in 'ESCAPE=' to override the default with no escaping), and "NONE" (which throws an exception any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch to an appropriate default_escape value once transition to the new code is complete. -- Jonathan "Dataweaver" Lang |
|
From: Shlomi F. <sh...@ig...> - 2006-10-25 16:05:24
|
On Tuesday 17 October 2006 14:08, Alex Kapranoff wrote: > * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: > > Now what I want is to sub-class HTML::Template so we'll always have to > > use "ESCAPE=HTML". If we want to override it we'll need to do the > > following: > > There's `default_escape' option in recent HTML::Template. Is it not > enough? Having read the thread, I don't think that's enough for me. I want to still need to explicitly specify "ESCAPE=HTML" everywhere (without having a default escape), to have an exception raised on a non-escaped occurence, and to add an explicit unescaping (like "ESCAPE="0""). Anything less than that will make the transition to the new code harder, and more error-prone. So I guess I'm going to fire up my editor and write an HTML::Template sub-class. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Tom H. <tom...@pu...> - 2006-10-17 15:24:45
|
Alex Kapranoff wrote: > * Michael Peters <mp...@pl...> [October 17 2006, 17:01]: >> Alex Kapranoff wrote: >>> * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: >>>> Now what I want is to sub-class HTML::Template so we'll always have to >>>> use "ESCAPE=HTML". If we want to override it we'll need to do the following: >>> There's `default_escape' option in recent HTML::Template. Is it not >>> enough? >> I think if you use default_escape => 'HTML' that would get him most of the way. >> But there should be a way to turn off escaping when you know the var will >> contain HTML. So maybe an escape="none" option? > > ESCAPE="0" works for now. > Actually, I found that turning off escaping (ESCAPE="0") does not work if you specify a default escape. See http://rt.cpan.org/Public/Bug/Display.html?id=18274 for more details and a fix. ---Tom |
|
From: Michael P. <mp...@pl...> - 2006-10-17 13:55:08
|
Alex Kapranoff wrote: > ESCAPE="0" works for now. Well, there you go, I didn't even know you could do that. Shlomi, I think using default_escape and escpe=0 for the exceptions is a much cleaner way to go. -- Michael Peters Developer Plus Three, LP |
|
From: Alex K. <ka...@ra...> - 2006-10-17 13:20:03
|
* Michael Peters <mp...@pl...> [October 17 2006, 17:01]:
> Alex Kapranoff wrote:
> > * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]:
> >> Now what I want is to sub-class HTML::Template so we'll always have to
> >> use "ESCAPE=HTML". If we want to override it we'll need to do the following:
> >
> > There's `default_escape' option in recent HTML::Template. Is it not
> > enough?
>
> I think if you use default_escape => 'HTML' that would get him most of the way.
> But there should be a way to turn off escaping when you know the var will
> contain HTML. So maybe an escape="none" option?
ESCAPE="0" works for now.
--
Alex Kapranoff,
$n=["1another7Perl213Just3hacker49"=~/\d|\D*/g];
$$n[0]={grep/\d/,@$n};print"@$n{1..4}\n"
|
|
From: Michael P. <mp...@pl...> - 2006-10-17 13:04:13
|
Alex Kapranoff wrote: > * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: >> Now what I want is to sub-class HTML::Template so we'll always have to >> use "ESCAPE=HTML". If we want to override it we'll need to do the following: > > There's `default_escape' option in recent HTML::Template. Is it not > enough? I think if you use default_escape => 'HTML' that would get him most of the way. But there should be a way to turn off escaping when you know the var will contain HTML. So maybe an escape="none" option? -- Michael Peters Developer Plus Three, LP |
|
From: Alex K. <ka...@ra...> - 2006-10-17 12:05:32
|
* Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]:
> Now what I want is to sub-class HTML::Template so we'll always have to
> use "ESCAPE=HTML". If we want to override it we'll need to do the following:
There's `default_escape' option in recent HTML::Template. Is it not
enough?
--
Alex Kapranoff,
$n=["1another7Perl213Just3hacker49"=~/\d|\D*/g];
$$n[0]={grep/\d/,@$n};print"@$n{1..4}\n"
|
|
From: Shlomi F. <sh...@ig...> - 2006-10-17 10:26:32
|
Hi all! I am working on Yapcom ( http://yapcom.pti.co.il/ ) which is a Perl application that makes use of CGI::Application and HTML::Template. Now we had problems of Cross Site Scripting (XSS) in the past and I came up with this suggestion to hopefully eliminate them, that is based on the idea that it should be hard to output unescaped strings as is: The HTML::Template documentation for TMPL_VAR: http://search.cpan.org/~samtregar/HTML-Template-2.8/Template.pm#TMPL_VAR Reads: <<<< Optionally you can use the "ESCAPE=HTML" option in the tag to indicate that you want the value to be HTML-escaped before being returned from output (the old ESCAPE=1 syntax is still supported). This means that the ", <, >, and & characters get translated into ", <, > and & respectively. This is useful when you want to use a TMPL_VAR in a context where those characters would cause trouble. Example: >>>> Now what I want is to sub-class HTML::Template so we'll always have to use "ESCAPE=HTML". If we want to override it we'll need to do the following: 1. Wrap the string in a special object: <<<<< my $string_to_pass = "<h1>Hello</h1>"; my $string_to_pass_as_obj = YAPC::Template::PassThru->new($string_to_pass); >>>>> 2. Explicitly unlock the object: <<<<<< $string_to_pass_as_obj->unlock("unlock"); >>>>>> Note that unlock returns undef. 3. Add a special parameter to TMPL_VAR: <<<<<< <TMPL_VAR NAME="string_to_pass" PASSTHRU="1"> >>>>>> ----------------- If we pass a simple string then we can only use the TMPL_VAR with ESCAPE="HTML" added. We can also use ESCAPE="HTML" on an unlocked object. --------------------------- My question is: can this be already done with H::T? If not, I guess I'll work on a sub-class of H::T to do such a thing, unless someone can come up with a better idea. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
|
From: Raful Mr M. H <RA...@us...> - 2006-10-16 21:21:51
|
All: I am having difficulty with my java script. If I place the code = directly on my template, it works. If I place the reference to the .js = file in my head.tmpl (which creates the page's head and is "inluded" on = all other pages), it does not run. Any suggestions? Thanks, Mitch Mitch Raful CCNP, MCSE Network Engineer Marine Corps Community Services MCB Qantico 3044 Catlin Avenue Quantico, VA 22134 ra...@us... Commercial phone - 703.784.5991 DSN 278-5991=20 |
|
From: Charles K. C. <ccl...@ht...> - 2006-10-10 15:33:18
|
Matias Alejo Garcia wrote:
Fine answer, but there are a couple of typos.
: my $tmpl_param = [];
my $tmpl_parm = [];
: <tmpl_loop $tmpl_parm>
<tmpl_loop parm>
HTH,
Charles K. Clarkson
--
Mobile Homes Specialist
Free Market Advocate
Web Programmer
254 968-8328
Don't tread on my bandwidth. Trim your posts.
|
|
From: Matias A. G. <ma...@ni...> - 2006-10-10 12:08:06
|
Hello Robert,
On 10/10/06, Robert Franks <so...@to...> wrote:
>
> I am new to the HTML::Template module, as you will see:
>
> I have successfully generated the <tmpl_loop> using an array which
> contains a hash reference.
>
> However, in the html page I want to be able to loop through my hash
> without knowing the names of the keys.
> What is the best way to do this?
>
You can do:
my %hash =3D (
key1 =3D> 'value1',
key2 =3D> 'value1',
keyX =3D> 'valueX',
);
my $tmpl_param =3D [];
foreach my $key (keys %hash) {
push @$tmpl_parm, {
key =3D> $key,
value =3D> $hash{$key},
};
}
$template->param ( parm =3D> $tmpl_parm);
And, in the template:
------------------------
<tmpl_loop $tmpl_parm>
<tmpl_var key> is <tmpl_var value> |
</tmpl_loop>
Hope it helps,
mat=EDas
--=20
http://confronte.com
Compar=E1 y compr=E1 mejor
|
|
From: Robert F. <so...@to...> - 2006-10-10 12:01:20
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I am new to the HTML::Template module, as you will see:<br>
<br>
I have successfully generated the <tmpl_loop> using an array
which contains a hash reference.<br>
<br>
However, in the html page I want to be able to loop through my hash
without knowing the names of the keys.<br>
What is the best way to do this?<br>
<br>
eg. in my cgi script I have:<br>
<br>
<i>my %price_hash = (<br>
"key1" => "val1", <br>
"key2" => "val2", <br>
"key3" => "val3", <br>
"key89" => "val89"<br>
);<br>
<br>
push (@price_array, \%price_hash);<br>
$param->{"price_loop"} = \@price_array;</i><br>
<br>
So that in the html page I can use:<br>
<i><tmpl_loop name="price_loop"><br>
</i><i>....</i><br>
<i></tmpl_loop><br>
<br>
</i>I know I can use <i><br>
<tmpl_var name="key89"><br>
</i>in the loop, but to output "val89" that relies on me knowing that
key89 exists, and its name..<i><br>
<br>
</i><b>How can I just loop through the hash printing out the keys and
values, without knowing the keys?</b><i><br>
<br>
</i>
<div class="moz-signature">-- <br>
<p>Robert Franks
<br>
<br>
<br>
</p>
</div>
</body>
</html>
|
|
From: Jonathan L. <dat...@gm...> - 2006-10-04 03:39:16
|
Matthew wrote: > Is it possible to have a variable inside a variable be parsed? > > I'd like to pull some text from DB containing a few tmpl_var's and > assign that text to a tmpl_var in original file I instantiated the > object with. > > Is this possible? HTML is very specific as to what it allows: when you pass a variable into the template, you have to bear in mind which tag the variable is going to be used in. A tmpl_var can only receive a string or a number; I'm not even sure if it's permitted to take a boolean value, although it might be. A tmpl_if/tmpl_unless can only receive a boolean value. A tmpl_loop can only receive a list of hashes, and tags nested within it access hash keys of the current iteration of the loop instead of other variables passed into the template. There's a flag you can use that lets nested tags access global variables as well, as long as none of the hash keys clobber that name. But there's no way to pass a simple hash or list into the template; the _only_ aggregate data that HTML::Template handles is the list of hashes used by tmpl_loop. Since tables are not a native data type for perl, this makes it awkward for programmers to pass loop data into the template; but then, HTML::Template seems to have a design philosophy of keeping the template syntax as simple as possible at _all_ costs. HTML::Template::Expr relaxes the straitjacket somewhat; but even that much flexibility is viewed by the designer as a neccessary evil. -- Jonathan "Dataweaver" Lang |
|
From: Matthew <ma...@ma...> - 2006-09-28 22:37:07
|
Is it possible to have a variable inside a variable be parsed? I'd like to pull some text from DB containing a few tmpl_var's and assign that text to a tmpl_var in original file I instantiated the object with. Is this possible? Thanks, Matthew |
|
From: Sam T. <sa...@tr...> - 2006-09-14 18:31:34
|
Krang v2.007 is now available (the source release is up now and binary
builds should be up soon). Notable changes in this release and in
v2.006, which never received a proper announcement:
* Improvements to the list-data management system, command-line
tools and associated element classes. [Jesse Erlbaum]
* Added support for Konqueror and fixed Krang to deny access to Mac
IE, which was never supported. [Michael Peters]
* Krang now automatically deletes any alerts tied to a desk when
that desk is deleted, fixing a long-standing import/export
bug. [Michael Peters]
* Added --clean option to bin/krang_addon_installer. [Michael
Peters]
* Added new index to element table. This index will greatly speed
complex publishing logic. Thanks to James Reidy for identifying
the bottleneck. [Jesse Erlbaum]
* Allow users whose page-size preference is 100, to be able to
toggle between 100 and 20, instead of 100 and 100.
[Michael Peters]
* SiteServer configuration now does server-side includes by default.
SSI is very common for sites managed by Krang. This will make
development use of the SiteServer more useful and easier.
[Jesse Erlbaum]
* Added new --grep option to krang_upload_media. This option
permits you to use a regex to filter what you want media to
upload. [Jesse Erlbaum]
* Binary distributions now include src/ allowing for rebuilding
installed copies of Krang. [Sam]
* Fixed krang_install --FromBackup issues when the backups contain
addons. [Michael Peters]
* Fixed bug where KDS import would trigger delete_hook calls when
updating elements for stories and categories. [Sam]
* Fixed bulk-edit to allow white-space on the blank line separating
paragraphs. [Sam]
* Modified krang_schedulectl to skip scheduler start-up if
SchedulerMaxChildren parameter is set to 0 in krang.conf. This
is useful in development when you do not want the scheduler to
run. [Jesse Erlbaum]
* Fixed several bin/ scripts to always load Krang::Conf via
Krang::ClassLoader before using it. This fixes problems
overriding Krang::Conf in an addon. [Sam]
* Changed krang_upload_templates script to now handle "global"
templates (those without categories). [Jesse Erlbaum]
* Numerous other bug fixes.
Detailed change-log here: http://krang.sf.net/docs/changelog.html
Krang is an Open Source web-publisher / content-management system
designed for large-scale magazine-style websites. It is a 100% Perl
application using Apache/mod_perl and MySQL, as well as numerous CPAN
modules.
Krang provides a powerful and easy to use story and media editing
environment for website editors, as well as a complete template
development environment for web designers. On the back-end, Perl
programmers can customize Krang to control the data entered in the
story editor and add code to drive the templates to build output.
Krang can be enhanced with add-ons containing new skins and other new
features. Krang easily handles large data sets and can manage
multiple websites in a single installation.
For more information about Krang, visit the Krang website:
http://krang.sourceforge.net/
There you can download Krang, view screenshots, read documentation,
join our mailing-lists and access the CVS tree.
- the Krang team
|
17 messages has been excluded from this view by a project administrator.
