Menu
▾
▴
[Slashcode-development] Template filters
|
From: Chris N. <pu...@po...> - 2000-12-20 14:45:13
|
I had double quotes in my vars description for one var, and the " was not
escaped, so this template snippet failed:
<TD>Description</TD><TD><INPUT TYPE="TEXT" NAME="desc" VALUE="[%
varsref.description %]" size="60"></TD>
That is, it ended up with something like:
VALUE="This is "bad" in the sense of "not good""
As you can see, the " marks mess up the HTML. Here are two rules to abide by:
* In templates, when putting unknown text in a VALUE parameter, ALWAYS use
the strip_attribute filter.
* In templates, when putting unknown text in a TEXTAREA, ALWAYS use the
strip_literal filter.
Examples:
<TD>Description</TD><TD><INPUT TYPE="TEXT" NAME="desc" VALUE="[% FILTER
strip_attribute %][% varsref.description %][% END %]" size="60"></TD>
And:
<TEXTAREA NAME="foo">[% FILTER strip_literal %][% mytext %][% END
%]</TEXTAREA>
Note: this is only for _unknown_ text. If you have already prepared the
text (perhaps in the Perl code itself with the strip_literal() or
strip_attribute() or strip_mode() functions), or you have set the variable
so you know it is safe, this is not necessary. But if the variable is not
known or has not been otherwise prepared, use the filters as shown above.
Also note: we previously would pass in variables like this to templates:
nickname => $user->{nickname},
nickname_attr => strip_attribute($user->{nickname}),
This is not necessary any longer. It's easier to just leave it to the
template, usually, because you could end up passing in 15 different
strip_'d variables at once. It's better to just leave it to the template
and wrap it in a [% FILTER %].
One last note: This is not confined to attributes and textareas. If you
have an unknown variable to print in HTML, you should consider using [%
FILTER strip_literal %], strip_html, strip_nohtml, etc. Whatever is
appropriate. See the Slash::Utility POD for more info on the different
strip filters/functions.
Thanks,
--
Chris Nandor pu...@po... http://pudge.net/
Open Source Development Network pu...@os... http://osdn.com/
|
