I thought that too at first, but there are so many different ways to output things - read from DB, directly from the form (in case of form error) ... and so many different modules are involved (TemplateToolkit, DBD::MySQL, Data::FromValidator, HTML::FillInForm ...) that I couldn't find an easy bulletproof way to encode everything (automatically) on output.

And either way - I need it 90% of the time in escaped (secure) format for printing out as part of web pages, forms and similar. I store them that way in a DB, and just print them out as-is. Actually, I would say ~ 100% - as I either need that escaped or not in some special cases - which I mentioned, like WYSIWYG editor as part of CMS. But it continues to be in same format, and very rarely do I need to undo something escaped.

So this is fire and forget approach. /ex-Yugoslavia languages: Sipas i ne mislis !/

Performance wise it's also better - as with anything else that you can pre-calculate, instead of escaping it over and over ... You can also think about it as tainted mode - everything "is protected" and you need to untaint anything you might need - no way to forget to escape something. Which is quite easy (to forget) in web world where you add new and change old fields like socks.

Have you tried freelancing? Check out Scriptlance - I work there. For more info about Scriptlance and freelancing in general check out my home node.

In reply to Re^4: Removing malicious HTML entities (now with more questions!) by techcode
in thread Removing malicious HTML entities (now with more questions!) by Lawliet

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.