Hi all! I am working on Yapcom ( http://yapcom.pti.co.il/ ) which is a Perl application that makes use of CGI::Application and HTML::Template. Now we had problems of Cross Site Scripting (XSS) in the past and I came up with this suggestion to hopefully eliminate them, that is based on the idea that it should be hard to output unescaped strings as is:
The HTML::Template documentation for TMPL_VAR: http://search.cpan.org/~samtregar/HTML-Template-2.8/Template.pm#TMPL_VAR Reads: <<<< Optionally you can use the "ESCAPE=HTML" option in the tag to indicate that you want the value to be HTML-escaped before being returned from output (the old ESCAPE=1 syntax is still supported). This means that the ", <, >, and & characters get translated into ", <, > and & respectively. This is useful when you want to use a TMPL_VAR in a context where those characters would cause trouble. Example: >>>> Now what I want is to sub-class HTML::Template so we'll always have to use "ESCAPE=HTML". If we want to override it we'll need to do the following: 1. Wrap the string in a special object: <<<<< my $string_to_pass = "<h1>Hello</h1>"; my $string_to_pass_as_obj = YAPC::Template::PassThru->new($string_to_pass); >>>>> 2. Explicitly unlock the object: <<<<<< $string_to_pass_as_obj->unlock("unlock"); >>>>>> Note that unlock returns undef. 3. Add a special parameter to TMPL_VAR: <<<<<< <TMPL_VAR NAME="string_to_pass" PASSTHRU="1"> >>>>>> ----------------- If we pass a simple string then we can only use the TMPL_VAR with ESCAPE="HTML" added. We can also use ESCAPE="HTML" on an unlocked object. --------------------------- My question is: can this be already done with H::T? If not, I guess I'll work on a sub-class of H::T to do such a thing, unless someone can come up with a better idea. Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish [EMAIL PROTECTED] Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Html-template-users mailing list Html-template-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/html-template-users
