You prefer global escaping to escaping in the template? I use the TT plugin for escaping
[% USE HTML %] [% HTML.escape(needs.escaping) %] An idea that might work for you would be if you structure your data in the stash and create your templates generically looking for data in specific stash locations you could accomplish what you want with very little work (potentially) something like: [% USE HTML %] <title>[% data.title %]</title> <h1>[% HTML.escape(data.escape.something) %]</h1> Not sure if that would work for you Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: Ovid [mailto:[email protected]] Sent: Thursday, April 01, 2010 3:00 AM To: Cat Herders; Tomas Doran Subject: [Catalyst] Views and escaping HTML Hi all, I've been searching for the best answer, but there's a huge amount to wade through. I'm working on a Catalyst app where all views are purely HTML. I use Catalyst::View::TT. The vast majority of my data in views should be HTML escaped: [% message | html %] However, I'd like that to be the default rather than the exception because it's easy to forget this. I wanted to just do this in the view class: STASH => Template::Stash::EscapeHTML But that globally escapes everything, thus destroying my forms. I considered writing my own stash but had trouble getting enough information to always be sure of doing the right thing. It might be nice if Catalyst::View::TT accepted a Template subclass, something like this: package Veure::View::HTML; use Modern::Perl; use parent 'Catalyst::View::TT'; __PACKAGE__->config( TEMPLATE_CLASS => 'Template::HTML', TEMPLATE_EXTENSION => '.tt', WRAPPER => 'site/wrapper', ); That would cause everything to be HTML escaped, unless I use the new "none" filter: [% form.render | none %] However, that doesn't work because the template class is hard-coded into Catalyst::View::TT. I'm not sure if this is the best way to go about this, though. Should I just continue work on a custom stash? How have others dealt with this? Cheers, Ovid -- Buy the book - http://www.oreilly.com/catalog/perlhks/ Tech blog - http://blogs.perl.org/users/ovid/ Twitter - http://twitter.com/OvidPerl Official Perl 6 Wiki - http://www.perlfoundation.org/perl6 _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/ Protected by Websense Hosted Email Security -- www.websense.com
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
