Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
|
From: Michael P. <mp...@pl...> - 2006-10-17 13:04:13
|
Alex Kapranoff wrote: > * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: >> Now what I want is to sub-class HTML::Template so we'll always have to >> use "ESCAPE=HTML". If we want to override it we'll need to do the following: > > There's `default_escape' option in recent HTML::Template. Is it not > enough? I think if you use default_escape => 'HTML' that would get him most of the way. But there should be a way to turn off escaping when you know the var will contain HTML. So maybe an escape="none" option? -- Michael Peters Developer Plus Three, LP |
