* Mark Stosberg <[EMAIL PROTECTED]> [October 14 2005, 18:37]:
> I'm curious about what other people think about an option to
> turn ESCAPE=HTML on default, to protect against cross script scripting
> practices by default.
>
> This seems especially valuable when the convenient "associate => $q"
> option is used.
>
> Then programmers would be forcing themselves to consciously add
> "NOESCAPE=html" to a tag.
>
> To me, this seems like the equivalent of turning "use strict" on by
> default, and explicitly declaring "no strict" where needed.
>
> Thoughts?
All for it. About 10% of my TMPL_VARS are not escaped. "NOESCAPE=html"
looks very confusing. Should probably be "ESCAPE=none".
--
Alex Kapranoff,
$n=["1another7Perl213Just3hacker49"=~/\d|\D*/g];
$$n[0]={grep/\d/,@$n};print"@$n{1..4}\n"
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Html-template-users mailing list
Html-template-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/html-template-users
