Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re^7: perl dancer route template hashref pass complex json file to server issue (escape/filter)

by tye (Sage)
on Jul 28, 2016 at 04:44 UTC ( #1168701=note: print w/replies, xml ) Need Help??


in reply to Re^6: perl dancer route template hashref pass complex json file to server issue (module)
in thread perl dancer route template hashref pass complex json file to server issue

I am not an expert on Template::Toolkit. I know it is a feature-rich module, so I expected to find support for standard types of escaping (certainly at least: escaping using HTML entities and escaping as a URL parameter value). A quick scan of the documentation was not easy because the documentation is split across many documents.

But I did find Template::Manual::Filters which includes the HTML and URL escaping that I expected to find. The syntax used there looks rather verbose, even awkward for such an important feature, so perhaps I found the wrong part of the documentation that covers a second way to do such escaping. Though I later noticed that "| html" as an alternate syntax, so I bet that I found the right spot.

But there was no pre-built filter listed that would allow one to pull in values into JavaScript code in a safe way. Now, the feature looks easily powerful enough for one to write one's own such filter. But I find it rather common for there to be a lack of attention or emphasis on using the appropriate filter so escaping is done so slightly odd values don't just break your application.

[ That is actually one of the benefits of the much-maligned pattern of the ancient CGI. Proper escaping gets done automatically without the need for the author to remember to mark every single value to note into what type of context it is being interpolated. But programming fashion has moved to where "use a tool to write your HTML and a template to interpolate values into that" is thought of much more highly, despite how likely it makes such simple errors. I certainly find that recommended utilities that are more "modern" often can't handle pretty mundane characters.

I diagnosed a problem on our corporate website (prior job) and chided the web developers (who seemed to be some of the better of such I've worked with) for not knowing to properly escape '&' characters. A little while later, I realized that it wasn't even their fault. They had started using a highly respected JavaScript library, YUI, written by "Yahoo!", and that should have been doing the escaping.

So I went to one of Yahoo!'s major web pages and entered a value with an '&' in the middle of it. Sure enough, the page didn't work correctly for that case.

The JavaScript language itself got escaping of URL parameters wrong on the first two tries. It took over 2 years and the 3rd try got it almost right.

So, as a programmer, it appears that you have to keep this in mind and not expect to always have much help from the authors of tools, no matter how popular, modern, or highly recommended the tool might be. ]

Update: As another example, Dancer's default template support has no support for any escaping at all. This makes that default pretty much inappropriate for almost any use (unless you have complete control over the values being processed by your template and can guarantee that no even mildly interesting characters will be present in any of them).

- tye        

  • Comment on Re^7: perl dancer route template hashref pass complex json file to server issue (escape/filter)
  • Select or Download Code

Replies are listed 'Best First'.
Re^8: perl dancer route template hashref pass complex json file to server issue (escape/filter)
by RamiD (Acolyte) on Jul 28, 2016 at 21:24 UTC
    thanks for the reply , but isn't there any way to disable template filter , or any other way to pass parameter between client and server without changing the param value

      You have it backward. You don't need to disable some template filter. You need to create and then enable an appropriate template filter.

      Your templated javascript contains lines like:

      var test='<%passtoserver%>';

      If the value provided for 'passtoserver' was "Don't do this", then the javascript generated by your template would be:

      var test='Don't do this';

      That is a syntax error. So you need to change your template to contain lines more like:

      var test='<% passtoserver | js_str %>';

      or, perhaps even better:

      var test=<% passtoserver | js_str %>;

      where the "| js_str" tells the template to properly escape any characters that need to be escaped in order to be included verbatim inside of a javascript string literal (and, in the second case, also adds the enclosing quote marks).

      And, no, Template::Toolkit doesn't come with a pre-built js_str filter so you'll have to create that as well.

      Your problem case is due to the \ character not being escaped for similar reasons. So your template produces javascript code like:

      var test='­[{"name":"­test","pro­blem":"her­e is the problem \" com +ma "}]';

      And, in javascript, '\"' is the same value as '"'.

      - tye        

        this worked for me
        <%passtoserver | replace('"', '"')%>;
        thanks

        Doesn't add quotes but it exists Template::Plugin::JavaScript - Encodes text to be safe in JavaScript  document.write("[% sometext | js %]");

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1168701]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (2)
As of 2020-10-27 07:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My favourite web site is:












    Results (256 votes). Check out past polls.

    Notices?