Dancer + template toolkit default html filter

AlexP has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks! Today I started studying Dancer with this tutorial and maybe I'm getting ahead but I wonder is there a way to apply default html filter to all variables?

So far I've only seen an example with explicit syntax like:

[% entries.$id.text | html %]

However, it seems to me that this approach may lead to the fact that developer may forget to apply the filter and xss will occurs.

Searching for this topic led me to node and to Template::AutoFilter but it was in early 2011.
Should i use this approach today or there are modern ways to achieve this? And can I use this with dancer?

Comment on Dancer + template toolkit default html filter Download Code

Replies are listed 'Best First'.
Re: Dancer + template toolkit default html filter by Your Mother (Archbishop) on Jul 25, 2021 at 22:27 UTC
Excellent question and thought process on your part. FWIW, Text::Xslate and a couple other template systems default to escaped and are generally better view layers precisely because they don’t have the kitchen sink of features TT does (I am a 20 year user of TT and I love how much it offers but it’s frequently a case of offering enough rope to hang yourself); and also because they are drastically faster. Anyway… Template::Stash::AutoEscaping is probably the best choice now without rolling your own. I’ve never used it, I use Xslate for everything new, but Shlomi Fish is a conscientious hacker so I’d expect it to be right. TT hasn’t seen a lot of development in 10 years so older modules are generally going to be fine or easy to fix if they aren’t.	[reply]
Re^2: Dancer + template toolkit default html filter by AlexP (Pilgrim) on Jul 26, 2021 at 16:00 UTC
Thanks! I will explore other template engines. It’s excellent that dancer is quite flexible in this.	[reply]
Re: Dancer + template toolkit default html filter by AlexP (Pilgrim) on Jul 28, 2021 at 14:28 UTC
After a small research, I found Template::Alloy and loved it. It also allows you to set a default filter. There is Dancer adapter for it Dancer2::Template::Alloy, but it has a typo in README. I create a PR and hoping it will be merged. Here is the valid config (config.yml part): `# template engine template: "alloy" engines: template: alloy: AUTO_FILTER: html` [download]	[reply] [d/l]
Re: Dancer + template toolkit default html filter by AlexP (Pilgrim) on Aug 15, 2021 at 17:09 UTC
Accidentally found great modern template engine for dancer2 Dancer2::Template::Handlebars. It's using mustaches {{ }} to interpolate and escaping HTML by default! There is also cool article about it https://advent.perldancer.org/2020/17.	[reply]
Re^2: Dancer + template toolkit default html filter by AlexP (Pilgrim) on Aug 15, 2021 at 18:43 UTC
If you wanna use this module, be aware of one quirk. I think there is a bug with template rendering. I create an issue. You can rapidly fix it. Just add a relative path to views in config like: `views: views` [download]	[reply] [d/l]
Re^2: Dancer + template toolkit default html filter by AlexP (Pilgrim) on Aug 15, 2021 at 17:10 UTC
I think dancer should use it as the default template engine.	[reply]