|Do you know where your variables are?|
I am not an expert on Template::Toolkit. I know it is a feature-rich module, so I expected to find support for standard types of escaping (certainly at least: escaping using HTML entities and escaping as a URL parameter value). A quick scan of the documentation was not easy because the documentation is split across many documents.
But I did find Template::Manual::Filters which includes the HTML and URL escaping that I expected to find. The syntax used there looks rather verbose, even awkward for such an important feature, so perhaps I found the wrong part of the documentation that covers a second way to do such escaping. Though I later noticed that "| html" as an alternate syntax, so I bet that I found the right spot.
[ That is actually one of the benefits of the much-maligned pattern of the ancient CGI. Proper escaping gets done automatically without the need for the author to remember to mark every single value to note into what type of context it is being interpolated. But programming fashion has moved to where "use a tool to write your HTML and a template to interpolate values into that" is thought of much more highly, despite how likely it makes such simple errors. I certainly find that recommended utilities that are more "modern" often can't handle pretty mundane characters.
So I went to one of Yahoo!'s major web pages and entered a value with an '&' in the middle of it. Sure enough, the page didn't work correctly for that case.
So, as a programmer, it appears that you have to keep this in mind and not expect to always have much help from the authors of tools, no matter how popular, modern, or highly recommended the tool might be. ]
Update: As another example, Dancer's default template support has no support for any escaping at all. This makes that default pretty much inappropriate for almost any use (unless you have complete control over the values being processed by your template and can guarantee that no even mildly interesting characters will be present in any of them).
In reply to Re^7: perl dancer route template hashref pass complex json file to server issue (escape/filter)