in reply to Re^2: Could we get a more systematic approach to security in perl?
in thread Could we get a more systematic approach to security in perl?
BTW, default_escape => 'HTML'? What if the value needs to end up in some JavaScript? Or a URL?You would declare the escape type in the template:
<a href="/foobar/<TMPL_VAR myurl ESCAPE=URI">...</a>
You can also use ESCAPE=NONE inside the template if you consciously want to interpolate HTML. The point is just that if you don't think of escaping at all, there's a safe default which does not lead to XSS holes.
|
|---|