Re: [htmltmpl] option to turn ESCAPE=HTML on by default

[Mathew Robertson]

Is layered-escaping that is needed, or can we simply make a new escape module called, say "HTML_JS" Mathew Alex Kapranoff wrote: * Philip Tellis <[EMAIL PROTECTED]> [October 18 2005, 16:02]: s/pretty hard/impossible/; That's why there's only 1 _default_. Oh well, "Perl is designed to make the easy jobs easy, without making the hard jobs impossible." I'd hoped that it was also, "... make impossible jobs pretty hard" BTW, "double" or "layered" escaping is a very wanted feature. See: ====== <script> item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; </script> ====== This var needs first HTML, then JS escaping (in that order) or else the code is likely just plain insecure. This task is not solved right now.