Hi all!
I am working on Yapcom ( http://yapcom.pti.co.il/ ) which is a Perl
application that makes use of CGI::Application and HTML::Template. Now we had
problems of Cross Site Scripting (XSS) in the past and I came up with this
suggestion to hopefully eliminate them, that is based on the idea that it
should be hard to output unescaped strings as is:
The HTML::Template documentation for TMPL_VAR:
http://search.cpan.org/~samtregar/HTML-Template-2.8/Template.pm#TMPL_VAR
Reads:
<<<<
Optionally you can use the "ESCAPE=HTML" option in the tag to indicate that
you want the value to be HTML-escaped before being returned from output (the
old ESCAPE=1 syntax is still supported). This means that the ", <, >, and &
characters get translated into ", <, > and & respectively.
This is useful when you want to use a TMPL_VAR in a context where those
characters would cause trouble. Example:
>>>>
Now what I want is to sub-class HTML::Template so we'll always have to
use "ESCAPE=HTML". If we want to override it we'll need to do the following:
1. Wrap the string in a special object:
<<<<<
my $string_to_pass = "<h1>Hello</h1>";
my $string_to_pass_as_obj = YAPC::Template::PassThru->new($string_to_pass);
>>>>>
2. Explicitly unlock the object:
<<<<<<
$string_to_pass_as_obj->unlock("unlock");
>>>>>>
Note that unlock returns undef.
3. Add a special parameter to TMPL_VAR:
<<<<<<
<TMPL_VAR NAME="string_to_pass" PASSTHRU="1">
>>>>>>
-----------------
If we pass a simple string then we can only use the TMPL_VAR with
ESCAPE="HTML" added. We can also use ESCAPE="HTML" on an unlocked object.
---------------------------
My question is: can this be already done with H::T? If not, I guess I'll work
on a sub-class of H::T to do such a thing, unless someone can come up with a
better idea.
Regards,
Shlomi Fish
---------------------------------------------------------------------
Shlomi Fish shlomif@xxxxxxxxxxx
Homepage: http://www.shlomifish.org/
Chuck Norris wrote a complete Perl 6 implementation in a day but then
destroyed all evidence with his bare hands, so no one will know his secrets.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
|
