I developed this patch because I have hundreds of templates which do
not properly HTML escape insertion of data. The patch allows one to
use:
[% GETFILTER 'fname' %] ...block... [% END %]
and all GETS within the block will be filtered through the Perl
function 'fname' before being added to the output buffer. The
GETFILTER directive is nestable, and you can use them in templates
invoked with WRAPPER and INCLUDE, etc.
The implementation is very simple. In Parser.yp, the grammar for the
GETFILTER directive is:
getfilter: getfilter_begin block END { $factory->pop_getfilter; $_[2]; } ;
getfilter_begin: GETFILTER LITERAL ';' { $factory->push_getfilter($_[2]); } ;
push/pop_getfilter() just maintain a stack of the filter function names.
Then in Template::Directive::get(), the code generated is modified to
include the current (if any) filter function name:
sub get {
my ($class, $expr) = @_;
my $filter = (get current filter function name from $class);
if ($filter) {
"$OUTPUT ".$filter."($expr);";
} else {
"$OUTPUT $expr";
}
}
I've done a fair amount of testing, and it seems to work like I want
it to. I like it because I can specify a default GET filter but later
turn it off or change it for a block I don't want filtered, e.g.:
[% GETFILTER '::html_escape' %]
... lots of HTML that look like <textarea>[% comment %]</textarea>
[% GETFILTER '' %]
... not auto html-escaped...
[% END %]
... back to auto HTML escaping...
[% END %]
Any comments?
_______________________________________________
templates mailing list
[email protected]
http://mail.template-toolkit.org/mailman/listinfo/templates
