http://qs321.pair.com?node_id=1168584


in reply to Re^3: perl dancer route template hashref pass complex json file to server issue (module)
in thread perl dancer route template hashref pass complex json file to server issue

this is the code ( this time I've tried it :-) ) in my myapp.pm I had
package myapp; use Dancer ':syntax'; use File::Slurp qw(read_file write_file read_dir); #use db; use JSON; use Data::Dump qw/ pp /; use DBI; our $VERSION = '0.1'; use Dancer::Plugin::Database; get '/test' => sub { my $jsonobj; $jsonobj='[{"name":"test","problem":"here is the problem \" comma +"}]'; debug $jsonobj; template 'test',{passtoserver=> $jsonobj}; };
under the views I had file test.tt
<!DOCTYPE html> <html> <head> </head> <body> <div style = "padding: 100px 100px 10px;"> <script> alert('<%passtoserver%>'); var test='<%passtoserver%>'; alert(JSON.stringify(test)); alert(JSON.parse(test)); </script> <button type="text" > </div> </body> </html>
I had an error with JSON.parse(test) , when I had browser navigated to http://localhost:3000/test yes your right , when we do that with perl module rather than done by hand is a plus , but teh json file was generated by my website user and I'm just store it in DB , all the work on it just post and get from client and server thanks Rami D.

Replies are listed 'Best First'.
Re^5: perl dancer route template hashref pass complex json file to server issue (quotes)
by tye (Sage) on Jul 26, 2016 at 18:30 UTC
    alert('<%passtoserver%>');

    So, try this:

    alert('"\""')

    What gets displayed? Same as with alert('"""').

    If you are using a templating system to paste values into javascript, then use one that can actually do it correctly, including escaping things that need to be escaped.

    - tye        

Re^5: perl dancer route template hashref pass complex json file to server issue (module)
by Anonymous Monk on Jul 26, 2016 at 18:49 UTC
      template: "template_toolkit" engines: template_toolkit: encoding: 'utf8'

        I am not an expert on Template::Toolkit. I know it is a feature-rich module, so I expected to find support for standard types of escaping (certainly at least: escaping using HTML entities and escaping as a URL parameter value). A quick scan of the documentation was not easy because the documentation is split across many documents.

        But I did find Template::Manual::Filters which includes the HTML and URL escaping that I expected to find. The syntax used there looks rather verbose, even awkward for such an important feature, so perhaps I found the wrong part of the documentation that covers a second way to do such escaping. Though I later noticed that "| html" as an alternate syntax, so I bet that I found the right spot.

        But there was no pre-built filter listed that would allow one to pull in values into JavaScript code in a safe way. Now, the feature looks easily powerful enough for one to write one's own such filter. But I find it rather common for there to be a lack of attention or emphasis on using the appropriate filter so escaping is done so slightly odd values don't just break your application.

        [ That is actually one of the benefits of the much-maligned pattern of the ancient CGI. Proper escaping gets done automatically without the need for the author to remember to mark every single value to note into what type of context it is being interpolated. But programming fashion has moved to where "use a tool to write your HTML and a template to interpolate values into that" is thought of much more highly, despite how likely it makes such simple errors. I certainly find that recommended utilities that are more "modern" often can't handle pretty mundane characters.

        I diagnosed a problem on our corporate website (prior job) and chided the web developers (who seemed to be some of the better of such I've worked with) for not knowing to properly escape '&' characters. A little while later, I realized that it wasn't even their fault. They had started using a highly respected JavaScript library, YUI, written by "Yahoo!", and that should have been doing the escaping.

        So I went to one of Yahoo!'s major web pages and entered a value with an '&' in the middle of it. Sure enough, the page didn't work correctly for that case.

        The JavaScript language itself got escaping of URL parameters wrong on the first two tries. It took over 2 years and the 3rd try got it almost right.

        So, as a programmer, it appears that you have to keep this in mind and not expect to always have much help from the authors of tools, no matter how popular, modern, or highly recommended the tool might be. ]

        Update: As another example, Dancer's default template support has no support for any escaping at all. This makes that default pretty much inappropriate for almost any use (unless you have complete control over the values being processed by your template and can guarantee that no even mildly interesting characters will be present in any of them).

        - tye