Re: [htmltmpl] option to turn ESCAPE=HTML on by default
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] option to turn ESCAPE=HTML on by default
|
From: Mathew R. <mat...@ne...> - 2005-10-25 23:12:46
|
hehe - then you haven't tried my version of H::T ...
I modified H::T so that it dynamically loads the appropriate escape
module -> you simply do this:
package HTML::Template::ESCAPE::HTML_JS;
use HTML::Template::ESCAPE;
$HTML::Template::ESCAPE::HTML_JS::VERSION = '1.0';
sub output {
my $self = shift;
$_ = shift if (@_ > 0);
...blah...
$_;
}
then save the file somewhere in your PERL5LIB directory list.
Mathew
Alex Kapranoff wrote:
>You are right, that would suffice. But as far as I understand, making
>escape modules is not trivial. Escaping is not abstracted enough inside
>HTML::Template.
>
>* Mathew Robertson <mat...@ne...> [October 20 2005, 08:22]:
>
>
>>Is layered-escaping that is needed, or can we simply make a new escape
>>module called, say "HTML_JS"
>>
>>Mathew
>>
>>Alex Kapranoff wrote:
>>
>>
>>
>>>* Philip Tellis <phi...@gm...> [October 18 2005, 16:02]:
>>>
>>>
>>>
>>>
>>>>>s/pretty hard/impossible/;
>>>>>That's why there's only 1 _default_.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Oh well, "Perl is designed to make the easy jobs easy, without making
>>>>the hard jobs impossible."
>>>>
>>>>I'd hoped that it was also, "... make impossible jobs pretty hard"
>>>>
>>>>
>>>>
>>>>
>>>BTW, "double" or "layered" escaping is a very wanted feature.
>>>
>>>See:
>>>======
>>><script>
>>>item.innerHTML = "<strong><TMPL_VAR new_content></strong>";
>>></script>
>>>======
>>>
>>>This var needs first HTML, then JS escaping (in that order) or else
>>>the code is likely just plain insecure. This task is not solved right
>>>now.
>>>
>>>
>>>
>>>
>>>
>
>
>
|
