2015-09-28 16:54 GMT+03:00 Shlomi Fish <[email protected]>: > Because cross-site scripting (XSS) can be a serious security vulnerability. > Let's suppose you put a field called "myfield" that was input from the user > directly into the HTML: > > <td><% myfield %></td> > > Then a malicious user can put something like this in "myfield": > > <script type="text/javascript">alert('XSS!')</script> > > And this is just the beginning of malicious JS that can be inserted. > > For a cautionary measure, see: > > https://metacpan.org/release/Template-Stash-AutoEscaping
Some template-engines treat your variables as potentially dangerous unless you don't tell otherwise. For example Text::Xslate https://metacpan.org/pod/Text::Xslate#Smart-escaping-for-HTML-metacharacters Wbr, -- Kõike hääd, G _______________________________________________ dancer-users mailing list [email protected] http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
