Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
So i set up a quick instance and attempted the doc, i keep getting this: Unrecognized response type from route: Template::Stash::AutoEscaping::Escaped::HTML. Because its an extension i copied some of the subroutine for the _build_engine and so i have: my $tt = Template->new({ STASH => Template::Stash::AutoEscaping->new, %tt_config, }); That stash kills it. The route doesnt like the return obviously but not sure how to fix it from there. On Thu, Mar 22, 2018 at 12:01 PM, Lutz Gehlenwrote: > Hey Scott, hey all, > > ok, here is what I did. I wrote a Dancer2::Template::MyApp module > following the example in Dancer2::Template::TemplateToolkit: > > > package Dancer2::Template::MyApp; > use 5.014; > > use Moo; > use Template::Stash::AutoEscaping; > > extends 'Dancer2::Template::TemplateToolkit'; > > > around '_build_engine' => sub { > my $orig = shift; > my $self = shift; > > my $tt = $self->$orig(@_); > > # replace the stash object > $tt->service->context->{STASH} = Template::Stash::AutoEscaping- > >new( > $self->config->{STASH} > ); > > return $tt; > }; > > > 1; > > > Then I adapted my config.yml > > > template: "MyApp" > engines: > template: > MyApp: > start_tag: '[%' > end_tag: '%]' > ENCODING: utf8 > STASH: > > > If I try to call a route in my application, the route crashes with: > Route exception: Failed to render template: undef error - Not a GLOB > reference at /usr/local/lib/x86_64-linux- > gnu/perl/5.20.2/Template/Provider.pm line 618. > > If I comment out the replacement of the stash object it works > (unsurprisingly). > > I have also tried to overload the entire build_engine method instead > of using "around" in order to construct the Template object with the > alternative stash object right away. This leads to the same result. > > I went to line 618 of Template::Provider and printed out the > respective variable using Data::Dumper. It seems to be an arrayref > blessed into Template::Stash::AutoEscaping::Escaped::HTML. However, > Template::Provider obviously expects a GLOB reference. > > I'd be very thankful if someone could help me on with this. I am > stuck. > > Thank you and best wishes, > Lutz > > > On Monday, 19.03.2018 19:07:19 Lutz Gehlen wrote: > > Hey Scott, > > > > sorry for the long silence. After my return I've tried to get this > > solution to work, but so far I've not been successful. I wanted > > to write up my attempts, but got buried in other work, hence the > > delay. I'll reply in more detail later this week. > > > > Cheers, > > Lutz > > > > On Tuesday, 13.03.2018 12:51:54 Scott H wrote: > > > Did this work? > > > > > > On Wed, Feb 21, 2018 at 6:46 AM, Lutz Gehlen > > > > wrote: > > > > Hi Scott, > > > > > > > > thank you for your reply. This looks exactly like the piece of > > > > information I was lacking. I'll be traveling the next couple > > > > of > > > > days, but I'll certainly try this approach next week. > > > > > > > > Cheers, > > > > Lutz > > > > > > > > On Tuesday, 20.02.2018 11:40:00 Scott H wrote: > > > > > Looking into what your asking, have you tried this: > > > > > https://metacpan.org/pod/Dancer2::Template::TemplateToolkit > > > > > > > > > > Go to Advanced Customizations and you'll see how to create a > > > > > subclass module to return $tt. Have you tried this method? > > > > > > > > > > -Scott > > > > > > > > > > On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlen > > > > > > > [...] > > ___ > dancer-users mailing list > dancer-users@dancer.pm > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users > ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hey Scott, hey all, ok, here is what I did. I wrote a Dancer2::Template::MyApp module following the example in Dancer2::Template::TemplateToolkit: package Dancer2::Template::MyApp; use 5.014; use Moo; use Template::Stash::AutoEscaping; extends 'Dancer2::Template::TemplateToolkit'; around '_build_engine' => sub { my $orig = shift; my $self = shift; my $tt = $self->$orig(@_); # replace the stash object $tt->service->context->{STASH} = Template::Stash::AutoEscaping- >new( $self->config->{STASH} ); return $tt; }; 1; Then I adapted my config.yml template: "MyApp" engines: template: MyApp: start_tag: '[%' end_tag: '%]' ENCODING: utf8 STASH: If I try to call a route in my application, the route crashes with: Route exception: Failed to render template: undef error - Not a GLOB reference at /usr/local/lib/x86_64-linux- gnu/perl/5.20.2/Template/Provider.pm line 618. If I comment out the replacement of the stash object it works (unsurprisingly). I have also tried to overload the entire build_engine method instead of using "around" in order to construct the Template object with the alternative stash object right away. This leads to the same result. I went to line 618 of Template::Provider and printed out the respective variable using Data::Dumper. It seems to be an arrayref blessed into Template::Stash::AutoEscaping::Escaped::HTML. However, Template::Provider obviously expects a GLOB reference. I'd be very thankful if someone could help me on with this. I am stuck. Thank you and best wishes, Lutz On Monday, 19.03.2018 19:07:19 Lutz Gehlen wrote: > Hey Scott, > > sorry for the long silence. After my return I've tried to get this > solution to work, but so far I've not been successful. I wanted > to write up my attempts, but got buried in other work, hence the > delay. I'll reply in more detail later this week. > > Cheers, > Lutz > > On Tuesday, 13.03.2018 12:51:54 Scott H wrote: > > Did this work? > > > > On Wed, Feb 21, 2018 at 6:46 AM, Lutz Gehlen> > wrote: > > > Hi Scott, > > > > > > thank you for your reply. This looks exactly like the piece of > > > information I was lacking. I'll be traveling the next couple > > > of > > > days, but I'll certainly try this approach next week. > > > > > > Cheers, > > > Lutz > > > > > > On Tuesday, 20.02.2018 11:40:00 Scott H wrote: > > > > Looking into what your asking, have you tried this: > > > > https://metacpan.org/pod/Dancer2::Template::TemplateToolkit > > > > > > > > Go to Advanced Customizations and you'll see how to create a > > > > subclass module to return $tt. Have you tried this method? > > > > > > > > -Scott > > > > > > > > On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlen > > > > [...] ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hey Scott, sorry for the long silence. After my return I've tried to get this solution to work, but so far I've not been successful. I wanted to write up my attempts, but got buried in other work, hence the delay. I'll reply in more detail later this week. Cheers, Lutz On Tuesday, 13.03.2018 12:51:54 Scott H wrote: > Did this work? > > On Wed, Feb 21, 2018 at 6:46 AM, Lutz Gehlenwrote: > > Hi Scott, > > > > thank you for your reply. This looks exactly like the piece of > > information I was lacking. I'll be traveling the next couple of > > days, but I'll certainly try this approach next week. > > > > Cheers, > > Lutz > > > > On Tuesday, 20.02.2018 11:40:00 Scott H wrote: > > > Looking into what your asking, have you tried this: > > > https://metacpan.org/pod/Dancer2::Template::TemplateToolkit > > > > > > Go to Advanced Customizations and you'll see how to create a > > > subclass module to return $tt. Have you tried this method? > > > > > > -Scott > > > > > > On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlen > > > > wrote: > > > > Hi Warren, > > > > > > > > thank you for your reply and your research on the escaping > > > > plugins.> > > > > > > > > On Monday, 19.02.2018 10:59:19 Warren Young wrote: > > > > > Since you seem to have an itch here, how about you port > > > > > the > > > > > plugin? Then you get the software you want. You’ve got > > > > > preexisting code on both sides to work with: the source > > > > > plugin > > > > > and many examples of existing D2 plugins to aid in the > > > > > translation. > > > > > > > > Yes, maybe porting the plugin is the way to go. However, > > > > part of > > > > my intention in raising this topic on the list was to find > > > > out > > > > whether a port of Dancer::Plugin::EscapeHTML actually _is_ > > > > the > > > > software I really want. What made me think was that nobody > > > > has > > > > done it so far as a solution to what I believed to be a > > > > standard problem. > > > > > > > > Furthermore, the documentation of Dancer::Plugin::EscapeHTML > > > > states: "If you're using Template Toolkit, you may wish to > > > > look > > > > instead at Template::Stash::EscapeHTML which takes care of > > > > this > > > > reliably at the template engine level, and is more > > > > widely-used > > > > and tested than this module." > > > > > > > > This supposedly goes along the same line as Shlomi's > > > > suggestion > > > > of Template::Stash::AutoEscaping, but so far I have not > > > > figured > > > > out how to deploy this approach in Dancer. > > > > > > > > So to come back to your suggestion of porting > > > > Dancer::Plugin::EscapeHTML to Dancer2, I will consider it, > > > > but > > > > need to find out more about whether this is the right way to > > > > go. > > > > > > > > Cheers, > > > > Lutz > > > > > > > > ___ > > > > dancer-users mailing list > > > > dancer-users@dancer.pm > > > > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users > > > > ___ > > dancer-users mailing list > > dancer-users@dancer.pm > > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Did this work? On Wed, Feb 21, 2018 at 6:46 AM, Lutz Gehlenwrote: > Hi Scott, > > thank you for your reply. This looks exactly like the piece of > information I was lacking. I'll be traveling the next couple of > days, but I'll certainly try this approach next week. > > Cheers, > Lutz > > > On Tuesday, 20.02.2018 11:40:00 Scott H wrote: > > Looking into what your asking, have you tried this: > > https://metacpan.org/pod/Dancer2::Template::TemplateToolkit > > > > Go to Advanced Customizations and you'll see how to create a > > subclass module to return $tt. Have you tried this method? > > > > -Scott > > > > On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlen > wrote: > > > Hi Warren, > > > > > > thank you for your reply and your research on the escaping > > > plugins.> > > > On Monday, 19.02.2018 10:59:19 Warren Young wrote: > > > > Since you seem to have an itch here, how about you port the > > > > plugin? Then you get the software you want. You’ve got > > > > preexisting code on both sides to work with: the source plugin > > > > and many examples of existing D2 plugins to aid in the > > > > translation. > > > > > > Yes, maybe porting the plugin is the way to go. However, part of > > > my intention in raising this topic on the list was to find out > > > whether a port of Dancer::Plugin::EscapeHTML actually _is_ the > > > software I really want. What made me think was that nobody has > > > done it so far as a solution to what I believed to be a > > > standard problem. > > > > > > Furthermore, the documentation of Dancer::Plugin::EscapeHTML > > > states: "If you're using Template Toolkit, you may wish to look > > > instead at Template::Stash::EscapeHTML which takes care of this > > > reliably at the template engine level, and is more widely-used > > > and tested than this module." > > > > > > This supposedly goes along the same line as Shlomi's suggestion > > > of Template::Stash::AutoEscaping, but so far I have not figured > > > out how to deploy this approach in Dancer. > > > > > > So to come back to your suggestion of porting > > > Dancer::Plugin::EscapeHTML to Dancer2, I will consider it, but > > > need to find out more about whether this is the right way to > > > go. > > > > > > Cheers, > > > Lutz > > > > > > ___ > > > dancer-users mailing list > > > dancer-users@dancer.pm > > > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users > > ___ > dancer-users mailing list > dancer-users@dancer.pm > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users > ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hi Scott, thank you for your reply. This looks exactly like the piece of information I was lacking. I'll be traveling the next couple of days, but I'll certainly try this approach next week. Cheers, Lutz On Tuesday, 20.02.2018 11:40:00 Scott H wrote: > Looking into what your asking, have you tried this: > https://metacpan.org/pod/Dancer2::Template::TemplateToolkit > > Go to Advanced Customizations and you'll see how to create a > subclass module to return $tt. Have you tried this method? > > -Scott > > On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlenwrote: > > Hi Warren, > > > > thank you for your reply and your research on the escaping > > plugins.> > > On Monday, 19.02.2018 10:59:19 Warren Young wrote: > > > Since you seem to have an itch here, how about you port the > > > plugin? Then you get the software you want. You’ve got > > > preexisting code on both sides to work with: the source plugin > > > and many examples of existing D2 plugins to aid in the > > > translation. > > > > Yes, maybe porting the plugin is the way to go. However, part of > > my intention in raising this topic on the list was to find out > > whether a port of Dancer::Plugin::EscapeHTML actually _is_ the > > software I really want. What made me think was that nobody has > > done it so far as a solution to what I believed to be a > > standard problem. > > > > Furthermore, the documentation of Dancer::Plugin::EscapeHTML > > states: "If you're using Template Toolkit, you may wish to look > > instead at Template::Stash::EscapeHTML which takes care of this > > reliably at the template engine level, and is more widely-used > > and tested than this module." > > > > This supposedly goes along the same line as Shlomi's suggestion > > of Template::Stash::AutoEscaping, but so far I have not figured > > out how to deploy this approach in Dancer. > > > > So to come back to your suggestion of porting > > Dancer::Plugin::EscapeHTML to Dancer2, I will consider it, but > > need to find out more about whether this is the right way to > > go. > > > > Cheers, > > Lutz > > > > ___ > > dancer-users mailing list > > dancer-users@dancer.pm > > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Looking into what your asking, have you tried this: https://metacpan.org/pod/Dancer2::Template::TemplateToolkit Go to Advanced Customizations and you'll see how to create a subclass module to return $tt. Have you tried this method? -Scott On Tue, Feb 20, 2018 at 1:47 AM, Lutz Gehlenwrote: > Hi Warren, > > thank you for your reply and your research on the escaping plugins. > > On Monday, 19.02.2018 10:59:19 Warren Young wrote: > > Since you seem to have an itch here, how about you port the > > plugin? Then you get the software you want. You’ve got > > preexisting code on both sides to work with: the source plugin > > and many examples of existing D2 plugins to aid in the > > translation. > > Yes, maybe porting the plugin is the way to go. However, part of my > intention in raising this topic on the list was to find out whether a > port of Dancer::Plugin::EscapeHTML actually _is_ the software I > really want. What made me think was that nobody has done it so far > as a solution to what I believed to be a standard problem. > > Furthermore, the documentation of Dancer::Plugin::EscapeHTML states: > "If you're using Template Toolkit, you may wish to look instead at > Template::Stash::EscapeHTML which takes care of this reliably at the > template engine level, and is more widely-used and tested than this > module." > > This supposedly goes along the same line as Shlomi's suggestion of > Template::Stash::AutoEscaping, but so far I have not figured out how > to deploy this approach in Dancer. > > So to come back to your suggestion of porting > Dancer::Plugin::EscapeHTML to Dancer2, I will consider it, but need > to find out more about whether this is the right way to go. > > Cheers, > Lutz > > ___ > dancer-users mailing list > dancer-users@dancer.pm > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users > ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hi Warren, thank you for your reply and your research on the escaping plugins. On Monday, 19.02.2018 10:59:19 Warren Young wrote: > Since you seem to have an itch here, how about you port the > plugin? Then you get the software you want. You’ve got > preexisting code on both sides to work with: the source plugin > and many examples of existing D2 plugins to aid in the > translation. Yes, maybe porting the plugin is the way to go. However, part of my intention in raising this topic on the list was to find out whether a port of Dancer::Plugin::EscapeHTML actually _is_ the software I really want. What made me think was that nobody has done it so far as a solution to what I believed to be a standard problem. Furthermore, the documentation of Dancer::Plugin::EscapeHTML states: "If you're using Template Toolkit, you may wish to look instead at Template::Stash::EscapeHTML which takes care of this reliably at the template engine level, and is more widely-used and tested than this module." This supposedly goes along the same line as Shlomi's suggestion of Template::Stash::AutoEscaping, but so far I have not figured out how to deploy this approach in Dancer. So to come back to your suggestion of porting Dancer::Plugin::EscapeHTML to Dancer2, I will consider it, but need to find out more about whether this is the right way to go. Cheers, Lutz ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
On Feb 19, 2018, at 10:59 AM, Warren Youngwrote: > > Since you seem to have an itch here, how about you port the plugin? I was just reading more of that Stack Overflow page, and the *second* answer is by brian d foy, who points out that HTML::Escape is either 2 or 20x faster than HTML::Entities in his testing, depending on whether he uses the native Perl version or the XS version: https://stackoverflow.com/a/14818874 Since D2 is normally installed via automatic CPAN retrieval tools rather than by manually unpacking tarballs, the nonstandard dependency shouldn’t be a problem for your new plugin, unless you have existing installations at sites without reliable Internet access. ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
On Feb 19, 2018, at 5:08 AM, Lutz Gehlenwrote: > > What is everybody else > doing? Or am I mistaken and this is a minority problem after all? The problem never came up for me because my Dancer code was migrated from Apache::ASP, which doesn’t have anything like the solutions proposed so far in this thread. I had to do my own escaping with HTML::Entities and such, so keeping that existing code has been the path of least resistance. It may well be that when people go searching the web for “perl html escape”, they find HTML::Entities and just go with that. It’s the third result here. (YMMV.) The first result recommends URI::Escape instead, which is wrong, and the second answer is a Stack Overflow post, where the top answer recommends HTML::Escape. Since you seem to have an itch here, how about you port the plugin? Then you get the software you want. You’ve got preexisting code on both sides to work with: the source plugin and many examples of existing D2 plugins to aid in the translation. ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hello all, since there have been no further replies, I am wondering whether I am asking the wrong question. I would have thought that nearly every Dancer user is facing this problem, hence I am a bit surprised that there doesn't seem to be a standard solution. What is everybody else doing? Or am I mistaken and this is a minority problem after all? Cheers, Lutz On Saturday, 10.02.2018 11:15:07 Lutz Gehlen wrote: > Hello all, > > in Dancer1, I have been using Dancer::Plugin::EscapeHTML to > automatically escape HTML entities in server generated output. I > have never tried to figure out how it does its job, but it seemed > to do what I needed. > > I have not found a similar plugin for Dancer2. However, this must > be a widespread problem, isn't it? What is the best practice to > automatically escape HTML entities with Dancer2 and > Template::Toolkit? > > Thank you and best wishes, > Lutz > > ___ > dancer-users mailing list > dancer-users@dancer.pm > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
On Sun, 11 Feb 2018 00:45:13 +0100 Lutz Gehlenwrote: > On Saturday, 10.02.2018 09:16:52 Hermann Calabria wrote: > > Why not use TT’s native FILTER capability: > > > > <% somehtml FILTER html %> > > The reason is that the application has many templates with many > output sections that need to be filtered. To add the html filter to > each of these places would be both cumbersome and error-prone. Agreed. Having taken the FILTER approach until now, I have come to the conclusion that some will always be missed at some point in the application's development, leading to potential XSS vulnerabilities. Andy ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hi Hermann, On Saturday, 10.02.2018 09:16:52 Hermann Calabria wrote: > Why not use TT’s native FILTER capability: > > <% somehtml FILTER html %> The reason is that the application has many templates with many output sections that need to be filtered. To add the html filter to each of these places would be both cumbersome and error-prone. I think it would be safer and more elegant to use a more centralized approach. > From an MVC perspective it’s probably the right place to do html > escaping — not at the lib (Model) level. I agree that the View level is the right place to do the escaping instead of e.g. the Model level. However, a solution along the lines of Shlomi's suggestion, which modifies the behavior of Template::Toolkit, _is_ at the View level. Best wishes, Lutz > > On Feb 10, 2018, at 8:39 AM, Lutz Gehlenwrote: > > > > Hi Shlomi, > > > > thanks for your reply. I have tried to use your module, but I am > > unsure how to activate it in my Dancer2 application. I have > > added > > the class as STASH to my template engine in config.yml: > > > > template: "template_toolkit" > > > > engines: > > template: > >template_toolkit: > > start_tag: '[%' > > end_tag: '%]' > > ENCODING: utf8 > > > > ... > > > > STASH: 'Template::Stash::AutoEscaping' > > > > First, I got the error message that the module was not loaded, > > but even if I load the module manually I get: > > > > Can't use string ("Template::Stash::AutoEscaping") as a HASH ref > > while "strict refs" in use at /usr/local/lib/x86_64-linux- > > gnu/perl/5.20.2/Template/Stash.pm line 161. > > > > It seems like Template::Stash expects an instance of the stash > > class (like you show in the SYNOPSIS section of your module). > > But how do I tell Dancer2 to instantiate the class and hand it > > over to TT? Can you help we with that? > > > > Cheers, > > Lutz > > > >> On Saturday, 10.02.2018 13:42:01 Shlomi Fish wrote: > >> Hi Lutz, > >> > >> On Sat, 10 Feb 2018 11:15:07 +0100 > >> > >> Lutz Gehlen wrote: > >>> Hello all, > >>> > >>> in Dancer1, I have been using Dancer::Plugin::EscapeHTML to > >>> automatically escape HTML entities in server generated output. > >>> I > >>> have never tried to figure out how it does its job, but it > >>> seemed to do what I needed. > >>> > >>> I have not found a similar plugin for Dancer2. However, this > >>> must be a widespread problem, isn't it? What is the best > >>> practice to automatically escape HTML entities with Dancer2 > >>> and > >>> Template::Toolkit? > >> > >> perhaps see > >> https://metacpan.org/release/Template-Stash-AutoEscaping . Note > >> that it is a fork by me of a different module. > >> > >>> Thank you and best wishes, > >>> Lutz ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hi Shlomi, thanks for your reply. I have tried to use your module, but I am unsure how to activate it in my Dancer2 application. I have added the class as STASH to my template engine in config.yml: template: "template_toolkit" engines: template: template_toolkit: start_tag: '[%' end_tag: '%]' ENCODING: utf8 ... STASH: 'Template::Stash::AutoEscaping' First, I got the error message that the module was not loaded, but even if I load the module manually I get: Can't use string ("Template::Stash::AutoEscaping") as a HASH ref while "strict refs" in use at /usr/local/lib/x86_64-linux- gnu/perl/5.20.2/Template/Stash.pm line 161. It seems like Template::Stash expects an instance of the stash class (like you show in the SYNOPSIS section of your module). But how do I tell Dancer2 to instantiate the class and hand it over to TT? Can you help we with that? Cheers, Lutz On Saturday, 10.02.2018 13:42:01 Shlomi Fish wrote: > Hi Lutz, > > On Sat, 10 Feb 2018 11:15:07 +0100 > > Lutz Gehlenwrote: > > Hello all, > > > > in Dancer1, I have been using Dancer::Plugin::EscapeHTML to > > automatically escape HTML entities in server generated output. I > > have never tried to figure out how it does its job, but it > > seemed to do what I needed. > > > > I have not found a similar plugin for Dancer2. However, this > > must be a widespread problem, isn't it? What is the best > > practice to automatically escape HTML entities with Dancer2 and > > Template::Toolkit? > > perhaps see > https://metacpan.org/release/Template-Stash-AutoEscaping . Note > that it is a fork by me of a different module. > > > Thank you and best wishes, > > Lutz > > > > ___ > > dancer-users mailing list > > dancer-users@dancer.pm > > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
Re: [dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Hi Lutz, On Sat, 10 Feb 2018 11:15:07 +0100 Lutz Gehlenwrote: > Hello all, > > in Dancer1, I have been using Dancer::Plugin::EscapeHTML to > automatically escape HTML entities in server generated output. I > have never tried to figure out how it does its job, but it seemed to > do what I needed. > > I have not found a similar plugin for Dancer2. However, this must be > a widespread problem, isn't it? What is the best practice to > automatically escape HTML entities with Dancer2 and > Template::Toolkit? > perhaps see https://metacpan.org/release/Template-Stash-AutoEscaping . Note that it is a fork by me of a different module. > Thank you and best wishes, > Lutz > > ___ > dancer-users mailing list > dancer-users@dancer.pm > http://lists.preshweb.co.uk/mailman/listinfo/dancer-users -- - Shlomi Fish http://www.shlomifish.org/ First stop for Perl beginners - http://perl-begin.org/ Flock aims to be the browser for the social web, but I found it to be the completely anti-social browser. Please reply to list if it's a mailing list post - http://shlom.in/reply . ___ dancer-users mailing list dancer-users@dancer.pm http://lists.preshweb.co.uk/mailman/listinfo/dancer-users