Re: [htmltmpl] option to turn ESCAPE=HTML on by default

[Mathew Robertson]

hehe - then you haven't tried my version of H::T ... I modified H::T so that it dynamically loads the appropriate escape module -> you simply do this: package HTML::Template::ESCAPE::HTML_JS; use HTML::Template::ESCAPE; $HTML::Template::ESCAPE::HTML_JS::VERSION = '1.0'; sub output {   my $self = shift;   $_ = shift if (@_ > 0);   ...blah...   $_; } then save the file somewhere in your PERL5LIB directory list. Mathew Alex Kapranoff wrote: You are right, that would suffice. But as far as I understand, making escape modules is not trivial. Escaping is not abstracted enough inside HTML::Template. * Mathew Robertson <[EMAIL PROTECTED]> [October 20 2005, 08:22]: Is layered-escaping that is needed, or can we simply make a new escape module called, say "HTML_JS" Mathew Alex Kapranoff wrote: * Philip Tellis <[EMAIL PROTECTED]> [October 18 2005, 16:02]: s/pretty hard/impossible/; That's why there's only 1 _default_. Oh well, "Perl is designed to make the easy jobs easy, without making the hard jobs impossible." I'd hoped that it was also, "... make impossible jobs pretty hard" BTW, "double" or "layered" escaping is a very wanted feature. See: ====== <script> item.innerHTML = "<strong><TMPL_VAR new_content></strong>"; </script> ====== This var needs first HTML, then JS escaping (in that order) or else the code is likely just plain insecure. This task is not solved right now.