Re: [Templates] Question about overloading Stash->get()
[prev]
[thread]
[next]
[Date index for 2005/01/18]
For some reason I had forgotten how to use my mail client and replied directly
to Randal instead of to the list. . .
My basic issue is that I don't want the encoding to be an opt-in mechanisim.
I'm doing this to deal with XSS issues and I would prefer to have a whitelist
of things that don't need to be escaped rather than a blacklist of things that
do need to be escaped. i.e.
$foo = "<h1>HI!</h1>";
[% foo %] should render to <h1>HI!</h1> by default.
If the developer specifically knows that $foo is safe (i.e. doesn't reflect
user input) he/she should be able to do this
[% foo | unhtml %]
To opt out of the escaping. For security type stuff I almost always prefer a
whitelist rather than a blacklist. Similar to having packet filters set to
drop everythying except things that I know are good, rather than trying to
enumerate everything I know is bad.
--- Josh Rosenbaum <josh@xxxxxxxxx.xxx> wrote:
> Randal L. Schwartz wrote:
> >>>>>>"Andrew" == Andrew Williams <amw1@xxxxx.xxx> writes:
> >
> >
> > Andrew> I want to automatically html escape unsafe chars in any value
> > Andrew> that is displayed to the user. i.e. [% foo %] should have <
> > Andrew> and >'s escaped.
> >
> > And what doesn't
> >
> > [% foo | html %]
> >
> > do for you that you need?
> >
>
> I imagine it probably gets tedious to type '| html' (or html_entity)
> everytime. Not to mention if he has already wrote tons of pages, it can
> get tedious to go over them and change everything.
>
> Andrew, I don't have a good solution for you. If you don't have a lot
> of pages and you're just looking for shorthand, you could use a 'hack'
> like this:
>
> $Template::Stash::SCALAR_OPS->{ h } =
> sub {
> my ($scalar) = @_;
> return HTML::Entities::encode($scalar);
> };
>
>
> Then just do: [% foo.h %]. You might have to do [% foo.h() %] as I
> didn't test that. Hopefully someone can help you with your original
> question.
>
> -- Josh
>
_______________________________________________
templates mailing list
templates@xxxxxxxxxxxxxxxx.xxx
http://lists.template-toolkit.org/mailman/listinfo/templates
