Re: [htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] option to turn ESCAPE=HTML on by default
|
From: Alex K. <ka...@ra...> - 2005-10-14 14:48:55
|
* Mark Stosberg <ma...@su...> [October 14 2005, 18:37]:
> I'm curious about what other people think about an option to
> turn ESCAPE=HTML on default, to protect against cross script scripting
> practices by default.
>
> This seems especially valuable when the convenient "associate => $q"
> option is used.
>
> Then programmers would be forcing themselves to consciously add
> "NOESCAPE=html" to a tag.
>
> To me, this seems like the equivalent of turning "use strict" on by
> default, and explicitly declaring "no strict" where needed.
>
> Thoughts?
All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html"
looks very confusing. Should probably be "ESCAPE=none".
--
Alex Kapranoff,
$n=["1another7Perl213Just3hacker49"=~/\d|\D*/g];
$$n[0]={grep/\d/,@$n};print"@$n{1..4}\n"
|
