We all know that that it's a good practice to always HTML escape data
that is inserted into HTML documents, e.g.:
[% BLOCK greet %]
<html>
<body>
Hello, [% name | html %]
</body>
</html>
[% END %]
...
[% PROCESS greet name="Smith & Jones" %]
The caller then doesn't have to worry about performing the escaping
before passing it to the template.
I'd like to see TT adopt a convention which would allow the caller to
pass in already HTML-escaped data. The effect of the '| html' filter
would effectively be a no-op. E.g, something like:
[% PROCESS greet name=html("<blink>Smith</blink> & <tt>Jones</tt>") %]
would produce:
<html>
<body>
Hello, <blink>Smith</blink> & <tt>Jones</tt>
</body>
</html>
In this case it would be the caller's responsibility to ensure that
the text was already HTML-escaped.
The advantage would be that it would allow template writers to always
use the '| html' filter in their templates, but it would permit
template users to supply data as either "raw" data or HTML. In either
case the inserted text would be HTML.
Implementation....
Such a feature can already be implemented as a virtual method. Simply
create a global virtual method '.to_html' which would perform the same
transformations as the default html filter. The above BLOCK would be
written like this:
[% BLOCK greet %]
<html>
<body>
Hello, [% name.to_html %]
</body>
</html>
[% END %]
To pass in already escaped HTML, simply create an object that has a
->to_html method which returns the HTML text, e.g. something like
this:
package HtmlText;
sub new { bless \{$_[1]}, $_[0] }
sub to_html { ${$_[0]} }
Then define the html(...) function to call HtmlText->new(...).
I think it would be worthwhile for TT to implement this capability
with the '| html' filter.
Comments?
ER
_______________________________________________
templates mailing list
[email protected]
http://mail.template-toolkit.org/mailman/listinfo/templates
