On 5/9/2012 11:57 AM, Stephen Clouse wrote: > On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz <swa...@pobox.com > <mailto:swa...@pobox.com>> wrote: > > This has got to be a common web template conundrum. Anyone know how > Rails or Django solves it? > > > In Django's case, by forcing the user's hand (escaping by default, must > be explicitly disabled through template notation). > > Rails apparently either does or doesn't, depending on the version. More > recent versions act like Django. > > As you noted, escaping by default would be fine and largely a > non-argument if Mason were explicitly a Web template language, but it's not.
The problem is context. Escaping is appropriate in certain contexts and not in others. There are many ways to determine context, quite a few of them slow. The speed issues of Mason2, due largely to Moose as discussed in the past, means you do not want to add anything that makes things even slower. An example of a slow method would be a parser that breaks of the final output into a DOM tree and can apply escaping to the right parts. An example of a method that preserves context is the CGI module. From the CPAN page: #!/usr/local/bin/perl -w use CGI; # load CGI routines $q = CGI->new; # create new CGI object print $q->header, # create the HTTP header $q->start_html('hello world'), # start the HTML $q->h1('hello world'), # level 1 header $q->end_html; # end the HTML With a new $q->javascript or $q->raw method, the system knows whether the output should be escaped, and can even apply different escaping rules based on context. Maybe you want to do some type of escaping to your Javascript that would be pathological when applied to normal HTML. With hooks, the programmer could even provide their own custom escaping rules. I see two issues with this, but they are not major obstacles. First, it takes some programmer discipline to program in the new style. However, since Mason2 is new and is a bit different than Mason1, Moose is certainly a new way of specifying objects, and the conversion from the "old way" of programming to the PBP way (for those people doing that), means that a change in style is not that drastic. Second, while the CGI module may not be the best choice, it is a good example. Adding a small bit of code to Mason2 which is optimized for this process can improve performance over a general purpose module, like CGI. This allows the programmer to specify output context while keeping Mason2 content agnostic. Essentially, if you want something not escaped at all, use $m->print, such as for generating cron files or Apache configs. If you want web escaping, use $m->html. Embedded Javascript could be $m->javascript and so on. I think the default for text outside a <%perl> block should be HTML style escaping, since it seems that most Mason2 apps are web apps and most non-web Mason2 apps would need some sort of Perl to generate their output (and there is always the here-doc for boilerplate text). Cheers. Paul Wallingford ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users