On 10 Oct 2007, at 21:51, josh wrote:
You should look at Mark P Sullivan's lightning talk on this at
YAPC::NA
2007. http://www.justanotherperlhacker.org/lightning/2007yapcna.shtml
Yes, that's cool - and similar.
It doesn't (I think) allow the "escaping polymorphism" behavior which
is an important part of what I want. Part of the problem with string
escaping is that it's currently necessary for the programmer to
manually track the current escaping of a string and then apply the
correct transformations in the correct order. If I have an array of
strings to stuff into a query or pass to a template engine they
better all be escaped the same way otherwise it's going to get messy.
Consider a simple template engine:
<html>
<head><title>%title%</title></head>
<body>
{foreach p %para%}
<p>%p%</p>
{/foreach}
</body>
</html>
print $template->bind( title => 'Test page', para => [EMAIL PROTECTED] );
(made up syntax)
Every para must have the same escaping - either they're all plain
text and the template engine entity encodes them - or they're all
entity encoded already.
It'd be much more convenient to be able to feed it a mixture of plain
text and HTML paras and have it able to automagically turn them all
into HTML.
With String::Smart the template engine would just ask for "as html
$var" and get a safe HTML representation of that variable without
having to know how it's currently encoded.
I stressed the XSS/SQL injection angle - but it's as much about
decoupling and convenience as security.
--
Andy Armstrong, Hexten
