Module Ideas - Tie::HTMLencode and Tie::UrlEncode

rrwo has asked for the wisdom of the Perl Monks concerning the following question:

I have some ideas for modules, which from a cursory search on CPAN do not seem to exist, but which I think might be very useful.

If you don't understand the title, imagine this:

  tie $input, Tie::HTMLEncode;

  $input = "<script>alert(\"Boo!\")</script>";

  print $input; # outputs &lt;script&gt;alert("Boo!")&lt;/script&gt;
[download]

Is there already such a module? (I know there are already modules that encode; I'm asking if one is done through tie.) Would you find it useful?

The idea came to me from the article at perl.com on Cross-Site Scripting.

Comment on Module Ideas - Tie::HTMLencode and Tie::UrlEncode Download Code

Replies are listed 'Best First'.
Re: Module Ideas - Tie::HTMLencode and Tie::UrlEncode by dash2 (Hermit) on Feb 21, 2002 at 13:34 UTC
I ain't sure how useful it would be. The point of it would be to print something easily in a HTMl-escaped format (I think you mean escaped, not so much encoded). The problem is that tie-ing means whenever you access that variable, you get the HTML-escaped version. So, for example, this: `$input =~ s/\<script\>/<script type='text/javascript'>/;` [download] might not work as you expect. You might prefer to use overload to overload the string operator. (NB: this is fairly new and tricky - I've had core dumps.) dave hj~	[reply] [d/l]
Re: Re: Module Ideas - Tie::HTMLencode and Tie::UrlEncode by rrwo (Friar) on Feb 22, 2002 at 02:42 UTC
Well, one can use an OOP-interface, like so: `my $thing = "<htmlishness>"; # $thing is tied my $obj = tied($thing); $obj->raw() # or some such accessor` [download] It's an experimental idea, so you can make sure you don't emit any un-encoded variables. Kind of like automatic taint-checking and encoding. I figured "what the heck" and uploaded a quick test to CPAN as Tie::HTML::Entities. Needs work, I'm sure.	[reply] [d/l]
Re: Module Ideas - Tie::HTMLencode (boo) by boo_radley (Parson) on Feb 21, 2002 at 15:22 UTC
Here's one... `package Tie::HTMLEscape; use CGI qw (escapeHTML); use strict; sub TIESCALAR { my $class = shift; my $str = escapeHTML ( (+shift));; return bless \$str, $class; } sub FETCH { my $self = shift; return $$self; } sub STORE { my $self = shift; warn "wrong type to STORE" unless ref $self; my $new_str = escapeHTML ( (+shift));; warn "too many parms to STORE" if @_; $$self = $new_str; $$self; }` [download]	[reply] [d/l]