Thread: [htmltmpl] [PATCH] default_escape
Brought to you by:
samtregar
From: Tatsuhiko M. <miy...@ed...> - 2002-06-21 07:11:36
|
This patch allows you to do HTML::Template->new(default_escape => 'HTML'); then your TMPL_VARs will always be HTML-escaped unless you explicitly specify ESCAPE=0, which will be a handy guard against Cross Site Scripting attacks. -- Tatsuhiko Miyagawa <miy...@ed...> diff -ruP HTML-Template-2.5.orig/Template.pm HTML-Template-2.5/Template.pm --- HTML-Template-2.5.orig/Template.pm Fri Jun 21 16:05:21 2002 +++ HTML-Template-2.5/Template.pm Fri Jun 21 16:03:29 2002 @@ -927,6 +927,7 @@ no_includes => 0, case_sensitive => 0, filter => [], + default_escape => 0, ); # load in options supplied to new() @@ -1822,7 +1823,7 @@ $which = uc($1); # which tag is it - $escape = $3 || $8; + $escape = $3 || $8 || $options->{default_escape}; $escape = 0 if $2 || $7; # ESCAPE=0 $escape = 0 unless defined($escape); diff -ruP HTML-Template-2.5.orig/test.pl HTML-Template-2.5/test.pl --- HTML-Template-2.5.orig/test.pl Fri Jun 21 16:05:21 2002 +++ HTML-Template-2.5/test.pl Fri Jun 21 16:04:56 2002 @@ -3,7 +3,7 @@ use strict; use Test; -BEGIN { plan tests => 55 }; +BEGIN { plan tests => 57 }; use HTML::Template; ok(1); @@ -717,3 +717,18 @@ filename => 'include_path/one.tmpl'); $output = $template->output; ok($output =~ /ONE/ and $output =~ /TWO/ and $output =~ /THREE/); + +# test default_escape +$template = HTML::Template->new(path => ['templates'], + filename => 'simple.tmpl', + default_escape => 'html'); +$template->param(ADJECTIVE => '"very"'); +$output = $template->output; +ok($output =~ /"very"/); + +$template = HTML::Template->new(path => ['templates'], + filename => 'escape.tmpl', + default_escape => 'html'); +$template->param(STUFF => '<>'); +$output = $template->output; +ok($output !~ /<>/); |
From: Sam T. <sa...@tr...> - 2002-06-22 20:45:13
|
On Fri, 21 Jun 2002, Tatsuhiko Miyagawa wrote: > This patch allows you to do > > HTML::Template->new(default_escape => 'HTML'); > > then your TMPL_VARs will always be HTML-escaped unless you explicitly > specify ESCAPE=0, which will be a handy guard against Cross Site > Scripting attacks. Looks good to me. All it needs now is some documentation. I'll do the English if you'll do the Japanese. -sam |
From: Tatsuhiko M. <miy...@ed...> - 2002-06-24 03:56:41
|
At Sat, 22 Jun 2002 15:56:12 -0400 (EDT), Sam Tregar wrote: > > This patch allows you to do > > > > HTML::Template->new(default_escape => 'HTML'); > > > > then your TMPL_VARs will always be HTML-escaped unless you explicitly > > specify ESCAPE=0, which will be a handy guard against Cross Site > > Scripting attacks. > > Looks good to me. All it needs now is some documentation. I'll do the > English if you'll do the Japanese. Surely, will do ;-) -- Tatsuhiko Miyagawa <miy...@ed...> |