Hi Philip, Craig, Norikatsu, Sam and all H::T users!
I've searched H::T mail list archive and found some proposals about
TMPL_VAR ESCAPE feature.
There are some implementations of
a) ESCAPE=JS
b) ESCAPE=BR
c) ESCAPE=HTML_BR
d) ESCAPE=BASE64
Great thanks to Craig and Norikatsu for their work.
Is there some reasons do not include "external escape handling"?
Best regards,
Aleksey
1.
This is a forwarded message
From: Philip S Tellis <[EMAIL PROTECTED]>
To: "HTML::Template List" <[EMAIL PROTECTED]>
Date: Thursday, November 14, 2002, 10:10:46 PM
Subject: [htmltmpl] How about external escape handling modules that are loaded at
runtime
===8<==============Original message text===============
Sometime Today, Craig Manley assembled some asciibets to say:
> Seeing all the ideas about custom escape options, perhaps it's a
> good idea to redesign HTML::Template a little bit so that it stores
> a hash of escaper classname => object pairs. Each time a TMPL_VAR
> passes by with an escape option, HTML::Template converts that option
> (safely) to a classname such as HTML::Template::Escaper::XXXX. If
I think something like this was dicussed quite some time ago... about
having all escape=foo call a subroutine &escape_foo, or something like
that. I don't quite remember the exact details. Maybe someone else can
fill it in.
Philip
===8<===========End of original message text===========
2.
This is a forwarded message
From: Craig Manley <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Thursday, November 14, 2002, 8:43:39 PM
Subject: [htmltmpl] How about external escape handling modules that are loaded at
runtime
===8<==============Original message text===============
Hi Sam and all,
Seeing all the ideas about custom escape options, perhaps it's a good idea
to redesign HTML::Template a little bit so that it stores a hash of escaper
classname => object pairs. Each time a TMPL_VAR passes by with an escape
option, HTML::Template converts that option (safely) to a classname such as
HTML::Template::Escaper::XXXX. If HTML::Template hasn't already got an
instance of this escaper class in it's hash, then an attempt is done to
create an instance using require and store it in the hash. If the escaper
object is in the hash then an escape method is called in the object using
the data to be escaped as parameter.
This will make HTML::Template more flexible and everybody can write their
own escaper classes without deteriorating the performance or increasing
compile time and memory usage of HTML::Template for those who don't need
these escape options.
This style of design is something you see on CPAN in modules such as DBI,
Apache::Session, etc.
-Craig Manley
===8<===========End of original message text===========
3.
This is a forwarded message
From: Norikatsu Shigemura <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Thursday, November 14, 2002, 3:37:25 PM
Subject: [htmltmpl] Extentions for TMPL_VAR ESCAPE=XXXXX
===8<==============Original message text===============
Dear HTML::Template users!
I wrote extentions for ESCAPE=XXXXX of TMPL_VAR with H::T 2.6.
Please review and merge!
1. ESCAPE=BR
keep CR/LF with <BR> and *NOT* HTML encoding.
This is useful for BBS(only XSS safe site, e.g. announcement,
in-company use(anchor saved), etc...).
2. ESCAPE=HTML_BR
keep CR/LF with <BR> and HTML encoding.
This is useful for BBS and an enquate use. Typicaly, I use ESCAPE=
HTML_BR with DISPLAY and ESCAPE=HTML with <INPUT type="hidden">.
It's mostly useful.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<!-- TMPL_VAR ESCAPE=HTML_BR name="PARAM" -->
<INPUT type="hidden" name="PARAM" value="<TMPL_VAR ESCAPE=HTML name=PARAM>">
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. ESCAPE=BASE64
MIME::Base64 encoding. I used it for parameter passing, while I
made ESCAPE=HTML_BR. Now:-), I didn't know useful for.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- Template.pm.orig Fri Aug 30 05:39:18 2002
+++ Template.pm Tue Nov 12 20:17:04 2002
@@ -881,6 +881,7 @@
use integer; # no floating point math so far!
use strict; # and no funny business, either.
+use MIME::Base64; # base64 encoder
use Carp; # generate better errors with more context
use File::Spec; # generate paths that work on all platforms
@@ -1735,8 +1736,11 @@
]);
(*fname, *fcounter, *fmax) = \ ( @{$fstack[0]} );
+ my $BR = HTML::Template::BR->new();
my $NOOP = HTML::Template::NOOP->new();
+ my $BASE64 = HTML::Template::Base64->new();
my $ESCAPE = HTML::Template::ESCAPE->new();
+ my $ESCAPE_BR = HTML::Template::ESCAPE_BR->new();
my $URLESCAPE = HTML::Template::URLESCAPE->new();
# all the tags that need NAMEs:
@@ -1815,6 +1819,15 @@
(?:[Uu][Rr][Ll]) |
(?:"[Uu][Rr][Ll]") |
(?:'[Uu][Rr][Ll]') |
+ (?:[Bb][Rr]) |
+ (?:"[Bb][Rr]") |
+ (?:'[Bb][Rr]') |
+ (?:[Bb][Aa][Ss][Ee]64) |
+ (?:"[Bb][Aa][Ss][Ee]64") |
+ (?:'[Bb][Aa][Ss][Ee]64') |
+ (?:[Hh][Tt][Mm][Ll][-_][Bb][Rr]) |
+ (?:"[Hh][Tt][Mm][Ll][-_][Bb][Rr]") |
+ (?:'[Hh][Tt][Mm][Ll][-_][Bb][Rr]') |
) # $5 => ESCAPE on
)
)* # allow multiple ESCAPEs
@@ -1882,6 +1895,15 @@
(?:[Uu][Rr][Ll]) |
(?:"[Uu][Rr][Ll]") |
(?:'[Uu][Rr][Ll]') |
+ (?:[Bb][Rr]) |
+ (?:"[Bb][Rr]") |
+ (?:'[Bb][Rr]') |
+ (?:[Bb][Aa][Ss][Ee]64) |
+ (?:"[Bb][Aa][Ss][Ee]64") |
+ (?:'[Bb][Aa][Ss][Ee]64') |
+ (?:[Hh][Tt][Mm][Ll][-_][Bb][Rr]) |
+ (?:"[Hh][Tt][Mm][Ll][-_][Bb][Rr]") |
+ (?:'[Hh][Tt][Mm][Ll][-_][Bb][Rr]') |
) # $15 => ESCAPE on
)
)* # allow multiple ESCAPEs
@@ -1966,6 +1988,12 @@
if ($escape) {
if ($escape =~ /^"?[Uu][Rr][Ll]"?$/) {
push(@pstack, $URLESCAPE);
+ } elsif($escape =~ /^"?[Bb][Rr]"?$/) {
+ push(@pstack, $BR);
+ } elsif($escape =~ /^"?[Bb][Aa][Ss][Ee]64"?$/) {
+ push(@pstack, $BASE64);
+ } elsif($escape =~ /^"?[Hh][Tt][Mm][Ll][-_][Bb][Rr]"?$/) {
+ push(@pstack, $ESCAPE_BR);
} else {
push(@pstack, $ESCAPE);
}
@@ -2647,6 +2675,40 @@
}
} elsif ($type eq 'HTML::Template::NOOP') {
next;
+
+ } elsif ($type eq 'HTML::Template::BR' ) {
+ $x++;
+ *line = \$parse_stack[$x];
+ if (defined($$line)) {
+ my $toencode = $$line;
+ $toencode=~s/(\r?\n)/<BR>$1/g;
+ $result .= $toencode;
+ }
+ next;
+
+ } elsif ($type eq 'HTML::Template::Base64' ) {
+ $x++;
+ *line = \$parse_stack[$x];
+ if (defined($$line)) {
+ $result .= encode_base64($$line, "");
+ }
+ next;
+ } elsif ($type eq 'HTML::Template::ESCAPE_BR') {
+ $x++;
+ *line = \$parse_stack[$x];
+ if (defined($$line)) {
+ my $toencode = $$line;
+ # straight from the CGI.pm bible.
+ $toencode=~s/&/&/g;
+ $toencode=~s/\"/"/g; #"
+ $toencode=~s/>/>/g;
+ $toencode=~s/</</g;
+ $toencode=~s/'/'/g; #'
+ $toencode=~s/(\r?\n)/<BR>$1/g;
+ $result .= $toencode;
+ }
+ next;
+
} elsif ($type eq 'HTML::Template::DEFAULT') {
$_ = $x; # remember default place in stack
@@ -2935,6 +2997,30 @@
}
package HTML::Template::ESCAPE;
+sub new {
+ my $unused;
+ my $self = \$unused;
+ bless($self, $_[0]);
+ return $self;
+}
+
+package HTML::Template::BR;
+sub new {
+ my $unused;
+ my $self = \$unused;
+ bless($self, $_[0]);
+ return $self;
+}
+
+package HTML::Template::Base64;
+sub new {
+ my $unused;
+ my $self = \$unused;
+ bless($self, $_[0]);
+ return $self;
+}
+
+package HTML::Template::ESCAPE_BR;
sub new {
my $unused;
my $self = \$unused;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
===8<===========End of original message text===========
4.
This is a forwarded message
From: Craig Manley <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Tuesday, November 05, 2002, 6:33:35 PM
Subject: [htmltmpl] Proposal: new ESCAPE=JS option in TMPL_VAR (JS means JavaScript).
===8<==============Original message text===============
Hi Sam and all,
I've patched Template.pm version 2.6 so that it can now escape Javascript
strings too. You can do that by passing the option ESCAPE=JS into a
TMPL_VAR.
ESCAPE=HMTL and ESCAPE=URI are already supported, but I often have to
display Javascript alerts and create dynamic DHTML/Javascript menus from
data generated by a perl script. I feel that the ESCAPE=JS option is the
only feature lacking from HTML::Template. With this option, HTML::Template
is capable of escaping the 3 most common string formats in web applications:
URLs, HTML, and Javascript.
For those interested in how this works:
you can test this feature here:
http://www.varuvo.nl/cgi-bin/htmltemplatejs.cgi
and you can download the 'unofficial' patched Template.pm v2.6 here:
http://www.skybound.nl/cgi-bin/download.cgi/HTML-Template-2.6_js.tar.gz
So my proposal is: please include this option in the next official version.
-Craig Manley
===8<===========End of original message text===========
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Html-template-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/html-template-users
