Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
|
From: Shlomi F. <sh...@ig...> - 2006-10-25 16:05:24
|
On Tuesday 17 October 2006 14:08, Alex Kapranoff wrote: > * Shlomi Fish <sh...@ig...> [October 17 2006, 14:23]: > > Now what I want is to sub-class HTML::Template so we'll always have to > > use "ESCAPE=HTML". If we want to override it we'll need to do the > > following: > > There's `default_escape' option in recent HTML::Template. Is it not > enough? Having read the thread, I don't think that's enough for me. I want to still need to explicitly specify "ESCAPE=HTML" everywhere (without having a default escape), to have an exception raised on a non-escaped occurence, and to add an explicit unescaping (like "ESCAPE="0""). Anything less than that will make the transition to the new code harder, and more error-prone. So I guess I'm going to fire up my editor and write an HTML::Template sub-class. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish sh...@ig... Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. |
