Re: [htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] option to turn ESCAPE=HTML on by default
|
From: Alex K. <ka...@ra...> - 2005-10-24 11:01:43
|
You are right, that would suffice. But as far as I understand, making
escape modules is not trivial. Escaping is not abstracted enough inside
HTML::Template.
* Mathew Robertson <mat...@ne...> [October 20 2005, 08:22]:
> Is layered-escaping that is needed, or can we simply make a new escape
> module called, say "HTML_JS"
>
> Mathew
>
> Alex Kapranoff wrote:
>
> >* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]:
> >
> >
> >>>s/pretty hard/impossible/;
> >>>That's why there's only 1 _default_.
> >>>
> >>>
> >>Oh well, "Perl is designed to make the easy jobs easy, without making
> >>the hard jobs impossible."
> >>
> >>I'd hoped that it was also, "... make impossible jobs pretty hard"
> >>
> >>
> >
> >BTW, "double" or "layered" escaping is a very wanted feature.
> >
> >See:
> >======
> ><script>
> >item.innerHTML = "<strong><TMPL_VAR new_content></strong>";
> ></script>
> >======
> >
> >This var needs first HTML, then JS escaping (in that order) or else
> >the code is likely just plain insecure. This task is not solved right
> >now.
> >
> >
> >
--
Alex Kapranoff,
$n=["1another7Perl213Just3hacker49"=~/\d|\D*/g];
$$n[0]={grep/\d/,@$n};print"@$n{1..4}\n"
|
