Template::Plugin::XML::Escape

Quoting Dominic Mitchell <domhappygiraffe.net>:

> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave Cross
wrote:
>> Quoting Toby Corkindale <tjcwintrmute.net>:
>>
>> >Maybe I've just re-invented the wheel, but in
case I haven't, there's a
>> >very
>> >simple little module I've just uploaded to
CPAN:
>> >Template::Plugin::XML::Escape
>> >
>> >It just escapes the naughty
<>'"& characters into XML entities.
>>
>> Sounds a lot like the standard HTML filter.
>>
>> http://search.cpan.org/dist/Tem
plate-Toolkit/lib/Template/Manual/Filters.pod#html
>
> The real issue I have with all these damned things is
that escaping
> isn't done by default.  As abhorrent as HTML::Mason
otherwise is[1], it
> does have the option of turning on HTML escaping by
default.  This is a
> superb help towards stopping cross-site scripting
attacks.

HTML::Mason has the advantage of knowing that what it's
producing will  
be HTML. TT doesn't know that. I'd get really pissed off
if TT started  
doing automatic HTML entity escaping on a template that was
producing  
plain text. Or a PDF.

> Database users learnt to use placeholders years ago
when they realised
> that manually quoting things was a pain in the
posterior.  Why can't web
> frameworks do the same?

Fair point. But TT isn't a web framework. Which is why I
use it 

Dave...

Dave Cross wrote:
> Quoting Dominic Mitchell <domhappygiraffe.net>:
> 
>> On Fri, Jun 16, 2006 at 01:43:19PM +0100, Dave
Cross wrote:
>>> Quoting Toby Corkindale <tjcwintrmute.net>:
>>>
>>> >Maybe I've just re-invented the wheel, but
in case I haven't, there's a
>>> >very
>>> >simple little module I've just uploaded to
CPAN:
>>> >Template::Plugin::XML::Escape
>>> >
>>> >It just escapes the naughty
<>'"& characters into XML entities.
>>>
>>> Sounds a lot like the standard HTML filter.
>>>
>>> http://search.cpan.org/dist/Tem
plate-Toolkit/lib/Template/Manual/Filters.pod#html 
>>>
>>
>> The real issue I have with all these damned things
is that escaping
>> isn't done by default.  As abhorrent as
HTML::Mason otherwise is[1], it
>> does have the option of turning on HTML escaping by
default.  This is a
>> superb help towards stopping cross-site scripting
attacks.
> 
> HTML::Mason has the advantage of knowing that what
it's producing will 
> be HTML. TT doesn't know that. I'd get really pissed
off if TT started 
> doing automatic HTML entity escaping on a template that
was producing 
> plain text. Or a PDF.

Good point.  But I reckon it's still used for a lot of web
stuff.  To be 
honest, I don't mean to pick on TT in particular, more on
web-templating 
systems in general.

>> Database users learnt to use placeholders years ago
when they realised
>> that manually quoting things was a pain in the
posterior.  Why can't web
>> frameworks do the same?
> 
> Fair point. But TT isn't a web framework. Which is why
I use it 

I don't disagree -- it's damned useful.

-Dom