Re^2: Could we get a more systematic approach to security in perl?

Which means you already do all the things tainting would try to force you to without the need to be bugged by it. Good for you but ... the fact that you decided to drive safely, slow down in villages and towns, etc. etc. etc. doesn't mean other people do not need to be forced to slow down. You would not notice there's a speed limit, because you already drive below without being told. Others need to be told.

BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?

Update: s/willages/villages/, thx marto.

Jenda
Enoch was right!
Enjoy the last years of Rome.

Comment on Re^2: Could we get a more systematic approach to security in perl? Download Code

Replies are listed 'Best First'.
Re^3: Could we get a more systematic approach to security in perl? by moritz (Cardinal) on Mar 29, 2010 at 12:16 UTC
BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL? You would declare the escape type in the template: `<a href="/foobar/<TMPL_VAR myurl ESCAPE=URI">...</a>` [download] You can also use `ESCAPE=NONE` inside the template if you consciously want to interpolate HTML. The point is just that if you don't think of escaping at all, there's a safe default which does not lead to XSS holes. Perl 6 - links to (nearly) everything that is Perl 6.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: Could we get a more systematic approach to security in perl?
by moritz (Cardinal) on Mar 29, 2010 at 12:16 UTC

BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?

<a href="/foobar/<TMPL_VAR myurl ESCAPE=URI">...</a>
[download]

You can also use ESCAPE=NONE inside the template if you consciously want to interpolate HTML. The point is just that if you don't think of escaping at all, there's a safe default which does not lead to XSS holes.

Perl 6 - links to (nearly) everything that is Perl 6.

[reply]
[d/l]
[select]