Fwd: [htmltmpl] [PATCH] default_escape

Sun, 23 Jun 2002 19:57:39 -0700 

For users of HTML::Template, attached is a note about
a patch someone wrote to help guard against cross-site
scripting attacks when using said module. FYI.

Note: forwarded message attached.


=====
"Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still 
alive, and there's nothing I want to do." - They Might Be Giants, http://www.tmbg.com

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--- Begin Message --- 
This patch allows you to do

  HTML::Template->new(default_escape => 'HTML');

then your TMPL_VARs will always be HTML-escaped unless you explicitly
specify ESCAPE=0, which will be a handy guard against Cross Site
Scripting attacks.

--
Tatsuhiko Miyagawa <[EMAIL PROTECTED]>


diff -ruP HTML-Template-2.5.orig/Template.pm HTML-Template-2.5/Template.pm
--- HTML-Template-2.5.orig/Template.pm  Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/Template.pm       Fri Jun 21 16:03:29 2002
@@ -927,6 +927,7 @@
                no_includes => 0,
                case_sensitive => 0,
                filter => [],
+              default_escape => 0,
               );
   
   # load in options supplied to new()
@@ -1822,7 +1823,7 @@
 
       $which = uc($1); # which tag is it
 
-      $escape = $3 || $8;
+      $escape = $3 || $8 || $options->{default_escape};
       $escape = 0 if $2 || $7; # ESCAPE=0 
       $escape = 0 unless defined($escape);
       
diff -ruP HTML-Template-2.5.orig/test.pl HTML-Template-2.5/test.pl
--- HTML-Template-2.5.orig/test.pl      Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/test.pl   Fri Jun 21 16:04:56 2002
@@ -3,7 +3,7 @@
 
 use strict;
 use Test;
-BEGIN { plan tests => 55 };
+BEGIN { plan tests => 57 };
 
 use HTML::Template;
 ok(1);
@@ -717,3 +717,18 @@
                                   filename => 'include_path/one.tmpl');
 $output = $template->output;
 ok($output =~ /ONE/ and $output =~ /TWO/ and $output =~ /THREE/);
+
+# test default_escape
+$template = HTML::Template->new(path => ['templates'],
+                               filename => 'simple.tmpl',
+                               default_escape => 'html');
+$template->param(ADJECTIVE => '"very"');
+$output = $template->output;
+ok($output =~ /&quot;very&quot;/);
+
+$template = HTML::Template->new(path => ['templates'],
+                               filename => 'escape.tmpl',
+                               default_escape => 'html');
+$template->param(STUFF => '<>');
+$output = $template->output;
+ok($output !~ /<>/);



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Html-template-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/html-template-users
--- End Message ---
-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to