Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
|
From: Tom H. <tom...@pu...> - 2006-10-17 15:24:45
|
Alex Kapranoff wrote: > * Michael Peters <mp...@pl...> [October 17 2006, 17:01]: >> Alex Kapranoff wrote: >>> * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: >>>> Now what I want is to sub-class HTML::Template so we'll always have to >>>> use "ESCAPE=HTML". If we want to override it we'll need to do the following: >>> There's `default_escape' option in recent HTML::Template. Is it not >>> enough? >> I think if you use default_escape => 'HTML' that would get him most of the way. >> But there should be a way to turn off escaping when you know the var will >> contain HTML. So maybe an escape="none" option? > > ESCAPE="0" works for now. > Actually, I found that turning off escaping (ESCAPE="0") does not work if you specify a default escape. See http://rt.cpan.org/Public/Bug/Display.html?id=18274 for more details and a fix. ---Tom |
