Re: Template toolkit XSS

If there is no Get handler the user shouldn't be able to supply arbitrary input. But new exploits are invented all the time. You should escape all data coming into your app that you didn't supply, as standard policy. And yes, you should escape all variables you print out with TT using Template's filters.

You entered: [%  sanitized_input | html_entity %]
[download]

TT still doesn't provide default filtering afaik, but HTML::Template does.

The way forward always starts with a minimal test.

Comment on Re: Template toolkit XSS Download Code

Replies are listed 'Best First'.
Re^2: Template toolkit XSS by Anonymous Monk on Aug 05, 2015 at 01:57 UTC
TT still doesn't provide default filtering afaik, but HTML::Template does. The CPAN does :) Template::AutoFilter - Template::Toolkit with automatic filtering	[reply]