On 5/9/2012 11:57 AM, Stephen Clouse wrote:
> On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz <[email protected]
> <mailto:[email protected]>> wrote:
>
> This has got to be a common web template conundrum. Anyone know how
> Rails or Django solves it?
>
>
> In Django's case, by forcing the user's hand (escaping by default, must
> be explicitly disabled through template notation).
>
> Rails apparently either does or doesn't, depending on the version. More
> recent versions act like Django.
>
> As you noted, escaping by default would be fine and largely a
> non-argument if Mason were explicitly a Web template language, but it's not.
The problem is context. Escaping is appropriate in certain contexts and
not in others. There are many ways to determine context, quite a few of
them slow. The speed issues of Mason2, due largely to Moose as
discussed in the past, means you do not want to add anything that makes
things even slower.
An example of a slow method would be a parser that breaks of the final
output into a DOM tree and can apply escaping to the right parts.
An example of a method that preserves context is the CGI module. From
the CPAN page:
#!/usr/local/bin/perl -w
use CGI; # load CGI routines
$q = CGI->new; # create new CGI object
print $q->header, # create the HTTP header
$q->start_html('hello world'), # start the HTML
$q->h1('hello world'), # level 1 header
$q->end_html; # end the HTML
With a new $q->javascript or $q->raw method, the system knows whether
the output should be escaped, and can even apply different escaping
rules based on context. Maybe you want to do some type of escaping to
your Javascript that would be pathological when applied to normal HTML.
With hooks, the programmer could even provide their own custom
escaping rules.
I see two issues with this, but they are not major obstacles.
First, it takes some programmer discipline to program in the new style.
However, since Mason2 is new and is a bit different than Mason1, Moose
is certainly a new way of specifying objects, and the conversion from
the "old way" of programming to the PBP way (for those people doing
that), means that a change in style is not that drastic.
Second, while the CGI module may not be the best choice, it is a good
example. Adding a small bit of code to Mason2 which is optimized for
this process can improve performance over a general purpose module, like
CGI. This allows the programmer to specify output context while keeping
Mason2 content agnostic.
Essentially, if you want something not escaped at all, use $m->print,
such as for generating cron files or Apache configs. If you want web
escaping, use $m->html. Embedded Javascript could be $m->javascript and
so on.
I think the default for text outside a <%perl> block should be HTML
style escaping, since it seems that most Mason2 apps are web apps and
most non-web Mason2 apps would need some sort of Perl to generate their
output (and there is always the here-doc for boilerplate text).
Cheers.
Paul Wallingford
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
