Re: [Mason] Mason2: no default HTML escaping

Thu, 03 May 2012 19:00:38 -0700 

On Thu, May 3, 2012 at 7:00 AM, Jonathan Swartz <swa...@pobox.com> wrote:

> On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote:
> > On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz <swa...@pobox.com>
> wrote:
> >> I hear your concerns. So I'm not sure which of these you are suggesting:
> >> 1) Substitution tags should be HTML-escaped by default in Mason.
> >
> > This one would be my choice *if* Mason was used only for the web.
>
> I still think it is difficult to est this default, given that substitution
> tags can be used when generating javascript, JSON, css, etc. even in a web
> environment.


And this is largely why I don't use my own module anymore :)

We wanted everything escaped, until we didn't.  Too often now templates are
hybrids of HTML and $something_that_escaping_screws_up.  As AJAX weaved its
way through the project we quickly found ourselves littering the templates
with |N when we could have just as easily littered them with |H, made the
intent of the code perfectly clear to everybody, and avoided behavior that
was reliant on proper configuration (the cynic in me can think of a
creative injection attack against a site via convincing DefaultFilter to
alter its settings).

Still, it's out there for those that find it useful and it's not going
anywhere.  I am just loathe to force it on anybody, and I suspect Jonathan
was thinking the same thing when excising the feature in 2.x.  Even ye olde
HTML::Mason didn't actually enable any filters by default.

-- 
Stephen Clouse <stephenclo...@gmail.com>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Reply via email to