Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Dancer + template toolkit default html filter

by AlexP (Pilgrim)
on Jul 25, 2021 at 18:13 UTC ( [id://11135386]=perlquestion: print w/replies, xml ) Need Help??

AlexP has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks! Today I started studying Dancer with this tutorial and maybe I'm getting ahead but I wonder is there a way to apply default html filter to all variables?

So far I've only seen an example with explicit syntax like:

[% entries.$id.text | html %]

However, it seems to me that this approach may lead to the fact that developer may forget to apply the filter and xss will occurs.

Searching for this topic led me to node and to Template::AutoFilter but it was in early 2011.
Should i use this approach today or there are modern ways to achieve this? And can I use this with dancer?

Replies are listed 'Best First'.
Re: Dancer + template toolkit default html filter
by Your Mother (Archbishop) on Jul 25, 2021 at 22:27 UTC

    Excellent question and thought process on your part. FWIW, Text::Xslate and a couple other template systems default to escaped and are generally better view layers precisely because they don’t have the kitchen sink of features TT does (I am a 20 year user of TT and I love how much it offers but it’s frequently a case of offering enough rope to hang yourself); and also because they are drastically faster. Anyway…

    Template::Stash::AutoEscaping is probably the best choice now without rolling your own. I’ve never used it, I use Xslate for everything new, but Shlomi Fish is a conscientious hacker so I’d expect it to be right. TT hasn’t seen a lot of development in 10 years so older modules are generally going to be fine or easy to fix if they aren’t.

      Thanks! I will explore other template engines. It’s excellent that dancer is quite flexible in this.

Re: Dancer + template toolkit default html filter
by AlexP (Pilgrim) on Jul 28, 2021 at 14:28 UTC

    After a small research, I found Template::Alloy and loved it. It also allows you to set a default filter.

    There is Dancer adapter for it Dancer2::Template::Alloy, but it has a typo in README. I create a PR and hoping it will be merged.

    Here is the valid config (config.yml part):

    # template engine template: "alloy" engines: template: alloy: AUTO_FILTER: html
Re: Dancer + template toolkit default html filter
by AlexP (Pilgrim) on Aug 15, 2021 at 17:09 UTC

      If you wanna use this module, be aware of one quirk. I think there is a bug with template rendering. I create an issue.

      You can rapidly fix it. Just add a relative path to views in config like:

      views: views

      I think dancer should use it as the default template engine.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11135386]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (9)
As of 2024-03-28 09:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found