I am not an expert on Template::Toolkit. I know it is a feature-rich module, so I expected to find support for standard types of escaping (certainly at least: escaping using HTML entities and escaping as a URL parameter value). A quick scan of the documentation was not easy because the documentation is split across many documents.

But I did find Template::Manual::Filters which includes the HTML and URL escaping that I expected to find. The syntax used there looks rather verbose, even awkward for such an important feature, so perhaps I found the wrong part of the documentation that covers a second way to do such escaping. Though I later noticed that "| html" as an alternate syntax, so I bet that I found the right spot.

But there was no pre-built filter listed that would allow one to pull in values into JavaScript code in a safe way. Now, the feature looks easily powerful enough for one to write one's own such filter. But I find it rather common for there to be a lack of attention or emphasis on using the appropriate filter so escaping is done so slightly odd values don't just break your application.

[ That is actually one of the benefits of the much-maligned pattern of the ancient CGI. Proper escaping gets done automatically without the need for the author to remember to mark every single value to note into what type of context it is being interpolated. But programming fashion has moved to where "use a tool to write your HTML and a template to interpolate values into that" is thought of much more highly, despite how likely it makes such simple errors. I certainly find that recommended utilities that are more "modern" often can't handle pretty mundane characters.

I diagnosed a problem on our corporate website (prior job) and chided the web developers (who seemed to be some of the better of such I've worked with) for not knowing to properly escape '&' characters. A little while later, I realized that it wasn't even their fault. They had started using a highly respected JavaScript library, YUI, written by "Yahoo!", and that should have been doing the escaping.

So I went to one of Yahoo!'s major web pages and entered a value with an '&' in the middle of it. Sure enough, the page didn't work correctly for that case.

The JavaScript language itself got escaping of URL parameters wrong on the first two tries. It took over 2 years and the 3rd try got it almost right.

So, as a programmer, it appears that you have to keep this in mind and not expect to always have much help from the authors of tools, no matter how popular, modern, or highly recommended the tool might be. ]

Update: As another example, Dancer's default template support has no support for any escaping at all. This makes that default pretty much inappropriate for almost any use (unless you have complete control over the values being processed by your template and can guarantee that no even mildly interesting characters will be present in any of them).