Hi all,
At last, I've created a patch for Template::Filters that introduces a
new filter function html_all, which escapes all special characters in
an HTML text. The filter tries to use either Apache::Util or
HTML::Entities and sets up the appropriate filter function at module
load time. I don't know if this is clean programming style, but it
doesn't impose any slow-downs at runtime.
If the patch is accepted and you are interested, I can supply
patches for documentation and tests, as Leon did (Leon, I used part of
your documentation for the description of the filter. I hope this is
okay).
There remains still one issue with escaping characters for HTML. The
HTML plug-in has its own escape function and doesn't know anything of
this filter. We could use the same code there or remove the escape
function from Template::Plugin::HTML altogether.
Best regards,
Axel
cvs -z9 diff -w -u -r2.43 Filters.pm
Index: Filters.pm
===================================================================
RCS file: /template-toolkit/Template2/lib/Template/Filters.pm,v
retrieving revision 2.43
diff -w -u -r2.43 Filters.pm
--- Filters.pm 2002/01/17 11:49:41 2.43
+++ Filters.pm 2002/01/20 22:22:41
@@ -47,6 +47,7 @@
$FILTERS = {
# static filters
'uri' => \&uri_filter,
+ 'html_all' => _init_html_all_filter(),
'html_para' => \&html_paragraph,
'html_break' => \&html_break,
'upper' => sub { uc $_[0] },
@@ -211,6 +212,50 @@
}
+#------------------------------------------------------------------------
+# _init_html_all_filter() [% FILTER html_all %]
+#
+# Sets up the html_all filter and is called when this module is loaded.
+#
+# This filter converts any 'E<lt>', 'E<gt>', '&', '�' etc. characters to
+# equivalent character entity references '<', '>', '&' and
+# 'é' etc., protecting them from being interpreted as representing
+# HTML tags or entities. See the following URL for more information:
+# http://www.w3.org/TR/REC-html40/sgml/entities.html
+#
+# The filter needs either Apache::Util or HTML::Entities. If you have
+# neither of them installed you cannot use this filter, and it will throw
+# an exception. Converting characters with Apache::Util is much faster
+# because it is written in C (see perldoc Apache::Util), but it runs only
+# under mod_perl.
+#------------------------------------------------------------------------
+
+sub _init_html_all_filter {
+ # Try using Apache::Util. Actually we have to call escape_html once
+ # to find out if it is available. An alternative would be to check for
+ # the MOD_PERL environment variable.
+ eval {
+ use Apache::Util;
+ Apache::Util::escape_html('');
+ };
+ return \&Apache::Util::escape_html
+ unless ($@);
+
+ # Apache::Util is not available, so we try using HTML::Entities
+ eval "use HTML::Entities";
+ return \&HTML::Entities::encode_entities
+ unless ($@);
+
+ # No conversion module is available, so html_all throws an exception
+ return sub {
+ die Template::Exception->new('html_all',
+ "Can't convert HTML characters because neither Apache::Util " .
+ "nor HTML::Entities is available.");
+ };
+}
+
+
+
#========================================================================
# -- STATIC FILTER SUBS --
#========================================================================