For users of HTML::Template, attached is a note about
a patch someone wrote to help guard against cross-site
scripting attacks when using said module. FYI.
Note: forwarded message attached.
=====
"Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do." - They Might Be Giants, http://www.tmbg.com
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--- Begin Message ---
This patch allows you to do
HTML::Template->new(default_escape => 'HTML');
then your TMPL_VARs will always be HTML-escaped unless you explicitly
specify ESCAPE=0, which will be a handy guard against Cross Site
Scripting attacks.
--
Tatsuhiko Miyagawa <[EMAIL PROTECTED]>
diff -ruP HTML-Template-2.5.orig/Template.pm HTML-Template-2.5/Template.pm
--- HTML-Template-2.5.orig/Template.pm Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/Template.pm Fri Jun 21 16:03:29 2002
@@ -927,6 +927,7 @@
no_includes => 0,
case_sensitive => 0,
filter => [],
+ default_escape => 0,
);
# load in options supplied to new()
@@ -1822,7 +1823,7 @@
$which = uc($1); # which tag is it
- $escape = $3 || $8;
+ $escape = $3 || $8 || $options->{default_escape};
$escape = 0 if $2 || $7; # ESCAPE=0
$escape = 0 unless defined($escape);
diff -ruP HTML-Template-2.5.orig/test.pl HTML-Template-2.5/test.pl
--- HTML-Template-2.5.orig/test.pl Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/test.pl Fri Jun 21 16:04:56 2002
@@ -3,7 +3,7 @@
use strict;
use Test;
-BEGIN { plan tests => 55 };
+BEGIN { plan tests => 57 };
use HTML::Template;
ok(1);
@@ -717,3 +717,18 @@
filename => 'include_path/one.tmpl');
$output = $template->output;
ok($output =~ /ONE/ and $output =~ /TWO/ and $output =~ /THREE/);
+
+# test default_escape
+$template = HTML::Template->new(path => ['templates'],
+ filename => 'simple.tmpl',
+ default_escape => 'html');
+$template->param(ADJECTIVE => '"very"');
+$output = $template->output;
+ok($output =~ /"very"/);
+
+$template = HTML::Template->new(path => ['templates'],
+ filename => 'escape.tmpl',
+ default_escape => 'html');
+$template->param(STUFF => '<>');
+$output = $template->output;
+ok($output !~ /<>/);
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Html-template-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/html-template-users
--- End Message ---
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]