Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

I am not an expert on Template::Toolkit. I know it is a feature-rich module, so I expected to find support for standard types of escaping (certainly at least: escaping using HTML entities and escaping as a URL parameter value). A quick scan of the documentation was not easy because the documentation is split across many documents.

But I did find Template::Manual::Filters which includes the HTML and URL escaping that I expected to find. The syntax used there looks rather verbose, even awkward for such an important feature, so perhaps I found the wrong part of the documentation that covers a second way to do such escaping. Though I later noticed that "| html" as an alternate syntax, so I bet that I found the right spot.

But there was no pre-built filter listed that would allow one to pull in values into JavaScript code in a safe way. Now, the feature looks easily powerful enough for one to write one's own such filter. But I find it rather common for there to be a lack of attention or emphasis on using the appropriate filter so escaping is done so slightly odd values don't just break your application.

[ That is actually one of the benefits of the much-maligned pattern of the ancient CGI. Proper escaping gets done automatically without the need for the author to remember to mark every single value to note into what type of context it is being interpolated. But programming fashion has moved to where "use a tool to write your HTML and a template to interpolate values into that" is thought of much more highly, despite how likely it makes such simple errors. I certainly find that recommended utilities that are more "modern" often can't handle pretty mundane characters.

I diagnosed a problem on our corporate website (prior job) and chided the web developers (who seemed to be some of the better of such I've worked with) for not knowing to properly escape '&' characters. A little while later, I realized that it wasn't even their fault. They had started using a highly respected JavaScript library, YUI, written by "Yahoo!", and that should have been doing the escaping.

So I went to one of Yahoo!'s major web pages and entered a value with an '&' in the middle of it. Sure enough, the page didn't work correctly for that case.

The JavaScript language itself got escaping of URL parameters wrong on the first two tries. It took over 2 years and the 3rd try got it almost right.

So, as a programmer, it appears that you have to keep this in mind and not expect to always have much help from the authors of tools, no matter how popular, modern, or highly recommended the tool might be. ]

Update: As another example, Dancer's default template support has no support for any escaping at all. This makes that default pretty much inappropriate for almost any use (unless you have complete control over the values being processed by your template and can guarantee that no even mildly interesting characters will be present in any of them).

- tye        


In reply to Re^7: perl dancer route template hashref pass complex json file to server issue (escape/filter) by tye
in thread perl dancer route template hashref pass complex json file to server issue by RamiD

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (3)
As of 2022-12-01 06:58 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Notices?