> On Thu, May 3, 2012 at 7:00 AM, Jonathan Swartz <swa...@pobox.com> wrote:
> On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote:
> > On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz <swa...@pobox.com> wrote:
> >> I hear your concerns. So I'm not sure which of these you are suggesting:
> >> 1) Substitution tags should be HTML-escaped by default in Mason.
> >
> > This one would be my choice *if* Mason was used only for the web.
>
> I still think it is difficult to est this default, given that substitution
> tags can be used when generating javascript, JSON, css, etc. even in a web
> environment.
>
> And this is largely why I don't use my own module anymore :)
>
> We wanted everything escaped, until we didn't. Too often now templates are
> hybrids of HTML and $something_that_escaping_screws_up. As AJAX weaved its
> way through the project we quickly found ourselves littering the templates
> with |N when we could have just as easily littered them with |H, made the
> intent of the code perfectly clear to everybody, and avoided behavior that
> was reliant on proper configuration (the cynic in me can think of a creative
> injection attack against a site via convincing DefaultFilter to alter its
> settings).
>
> Still, it's out there for those that find it useful and it's not going
> anywhere. I am just loathe to force it on anybody, and I suspect Jonathan
> was thinking the same thing when excising the feature in 2.x. Even ye olde
> HTML::Mason didn't actually enable any filters by default.
This has got to be a common web template conundrum. Anyone know how Rails or
Django solves it?
Jon
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
