Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
|
From: Jonathan L. <dat...@gm...> - 2006-10-25 23:07:28
|
Shlomi Fish wrote: > Having read the thread, I don't think that's enough for me. I want to still > need to explicitly specify "ESCAPE=HTML" everywhere (without having a default > escape), to have an exception raised on a non-escaped occurence, and to add > an explicit unescaping (like "ESCAPE="0""). Let me see if I've got this straight: you want to force the template writer to include "ESCAPE=something" in every TMPL_VAR, where "something" can be "HTML", "URL", or a value indicating "no escapes" (say, "TEXT"); failure to do so would cause a catchable error in your script when you try to evaluate the template. Right? > So I guess I'm going to fire up my editor and write an HTML::Template > sub-class. Probably. May I suggest a form for your subclass to take? Let "default_escape" contain two additional values: "TEXT" (which means the same as "0" above, and can also be used in 'ESCAPE=' to override the default with no escaping), and "NONE" (which throws an exception any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch to an appropriate default_escape value once transition to the new code is complete. -- Jonathan "Dataweaver" Lang |
