Always, always, always sanitise user input. You have no idea how that input was generated.

Think of a website as being an API that just happens to have a page you created attached to it. It is trivial to change the input generation method and fire back something totally unexpected to your POST or GET methods.

If there is no Get handler the user shouldn't be able to supply arbitrary input. But new exploits are invented all the time. You should escape all data coming into your app that you didn't supply, as standard policy. And yes, you should escape all variables you print out with TT using Template's filters.

You entered: [%  sanitized_input | html_entity %]
[download]

TT still doesn't provide default filtering afaik, but HTML::Template does.

TT still doesn't provide default filtering afaik, but HTML::Template does.

The CPAN does :) Template::AutoFilter - Template::Toolkit with automatic filtering

Shoudl I escape ALL data passed to Template toolkit or in certain cases ?

It depends on what you're doing

If you're including html which should be displayed, it makes no sense to escape it

If you're including some attribute values, they should be html escaped

So yeah, you should think about what the data is coming into the template , then the template should do something you want with it

Wouldn't it be easier to address data validation and use case handling in the pure Perl that calls it rather than in the template?

Two separate issues

The model does its own validation for correctness

The view (template) does its own "validation" ... to ensure correct display of stuff, html, json ... whatever

TT can certainly do that, although I would personally find it conflicts with my code design objectives in regard to the downscalability of testable units.

One world, one people