[Catalyst] Views and escaping HTML

Mesdaq, Ali amesdaq at websense.com
Thu Apr 1 17:27:18 GMT 2010 

You prefer global escaping to escaping in the template? I use the TT plugin for escaping

[% USE HTML %]
[% HTML.escape(needs.escaping) %]

An idea that might work for you would be if you structure your data in the stash and create your templates generically looking for data in specific stash locations you could accomplish what you want with very little work (potentially) something like:

[% USE HTML %]
<title>[% data.title %]</title>
<h1>[% HTML.escape(data.escape.something) %]</h1>

Not sure if that would work for you

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Sr. Security Researcher
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------


-----Original Message-----
From: Ovid [mailto:publiustemp-catalyst at yahoo.com] 
Sent: Thursday, April 01, 2010 3:00 AM
To: Cat Herders; Tomas Doran
Subject: [Catalyst] Views and escaping HTML

Hi all,

I've been searching for the best answer, but there's a huge amount to wade through.

I'm working on a Catalyst app where all views are purely HTML.  I use Catalyst::View::TT.  The vast majority of my data in views should be HTML escaped:

    [% message | html %]

However, I'd like that to be the default rather than the exception because it's easy to forget this.  I wanted to just do this in the view class:

    STASH => Template::Stash::EscapeHTML

But that globally escapes everything, thus destroying my forms.  I considered writing my own stash but had trouble getting enough information to always be sure of doing the right thing.  It might be nice if Catalyst::View::TT accepted a Template subclass, something like this:

  package Veure::View::HTML;

  use Modern::Perl;
  use parent 'Catalyst::View::TT';

  __PACKAGE__->config(
    TEMPLATE_CLASS     => 'Template::HTML',
    TEMPLATE_EXTENSION => '.tt',
    WRAPPER            => 'site/wrapper',
  );

That would cause everything to be HTML escaped, unless I use the new "none" filter:

    [% form.render | none %]

However, that doesn't work because the template class is hard-coded into Catalyst::View::TT.

I'm not sure if this is the best way to go about this, though.  Should I just continue work on a custom stash?  How have others dealt with this?

Cheers,
Ovid
--
Buy the book         - http://www.oreilly.com/catalog/perlhks/
Tech blog            - http://blogs.perl.org/users/ovid/
Twitter              - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6

_______________________________________________
List: Catalyst at lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/


 Protected by Websense Hosted Email Security -- www.websense.com

More information about the Catalyst mailing list