Re: Template Toolkit filtering all variables

I interpolate a lot of variables into HTML, but I also end up putting a lot of variables into URLs, which require URI-encoding first before HTML-ent'ing. So a general rule, as attractive as it may sound, will probably only get in the way later. (Witness the PHP rule that tries to backwhack all single quotes, and then you end up with occasional backwhacks in the output because of a double application of the rule.)

So, in my mind, I simply keep track of "possibly user data" apart from "data I've constructed", and to the former, add "| html". You do realize that you need only those five characters, right?

[% CGI.h2("Greetings!") %]
Hello, [% firstname | html %] [% lastname | html %]!
[download]

The "h2" should not be escaped (it would print literally as <h2> which is very wrong), but the firstname and lastname need it, so I add "| html" to them.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Comment on Re: Template Toolkit filtering all variables Download Code

Replies are listed 'Best First'.
Re^2: Template Toolkit filtering all variables by holli (Abbot) on Oct 13, 2005 at 11:51 UTC
Why `[% CGI.h2("Greetings!") %] Hello, [% firstname \| html %] [% lastname \| html %]!` [download] and not `<h2>Greetings!</h2> Hello, [% firstname \| html %] [% lastname \| html %]!` [download] ? just curious, holli, /regexed monk/	[reply] [d/l] [select]
Re^3: Template Toolkit filtering all variables by merlyn (Sage) on Oct 13, 2005 at 11:54 UTC
I used h2 with a literal as a quick example. Most often, I'm using CGI calls for (sticky) form fields, but when I was thinking about that for this problem, I decided that it would detract from the point I was making. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^2: Template Toolkit filtering all variables by marvell (Pilgrim) on Oct 13, 2005 at 11:58 UTC
I clearly missed the pipe bit in the manual. Can you double pipe, to html and html_para, say? -- Steve Marvell	[reply]
Re^3: Template Toolkit filtering all variables by merlyn (Sage) on Oct 13, 2005 at 12:02 UTC
I clearly missed the pipe bit in the manual. That's at Template::Manual::Directives, under FILTER. Can you double pipe, to html and html_para, say? That wouldn't make sense, because once you've inserted the P tags, you'll end up escaping the angle brackets. Ouch. But yes, you can double pipe for things like filename to href params versus filename to html: `<a href = "[% filename \| uri \| html %]">[% filename \| html %]</a>` [download] -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]
Re^4: Template Toolkit filtering all variables by marvell (Pilgrim) on Oct 13, 2005 at 12:08 UTC
Piping to html then html_para makes sense though? -- Steve Marvell	[reply]