subject:"\[Mason\] Mason2\: no default HTML escaping"

Re: [Mason] Mason2: no default HTML escaping

2012-05-10 Thread Jonathan Swartz

> On Wed, 9 May 2012, Paul Wallingford wrote:
> 
>> The problem is context.  Escaping is appropriate in certain contexts and
>> not in others.  There are many ways to determine context, quite a few of
>> them slow.  The speed issues of Mason2, due largely to Moose as
>> discussed in the past, means you do not want to add anything that makes
>> things even slower.
> 
> Are you talking about a speed issue besides startup speed?
> 
> Honestly, I'd surprised if Mason 2 was significantly slower than Mason 1 
> at run time.

Mason 2 is noticeably *faster* than Mason 1 in terms of raw component call 
speed. This is because Mason 1 component calls did a bunch of custom stack 
maintenance and so on, whereas in Mason 2 it is pretty much 
component_class->new(@args)->run().

Mason 2 is probably slower to startup than Mason 1, like anything that uses 
Moose. I can't get real worked up over this. I use Moose for all sorts of stuff 
and the startup speed never seems to bother me. I guess I'm not running lots of 
tiny scripts real frequently?

Need to rerun and publish these benchmarks.

Jon

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-10 Thread Dave Rolsky

On Wed, 9 May 2012, Paul Wallingford wrote:

> The problem is context.  Escaping is appropriate in certain contexts and
> not in others.  There are many ways to determine context, quite a few of
> them slow.  The speed issues of Mason2, due largely to Moose as
> discussed in the past, means you do not want to add anything that makes
> things even slower.

Are you talking about a speed issue besides startup speed?

Honestly, I'd surprised if Mason 2 was significantly slower than Mason 1 
at run time.


-dave

/*
http://VegGuide.org   http://blog.urth.org
Your guide to all that's veg  House Absolute(ly Pointless)
*/

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Paul Wallingford

On 5/9/2012 1:16 PM, Stephen Clouse wrote:

> Don't assume that people have done it your way. TMTOWTDI, after all.

I don't.  I have asked before what people though regarding the most 
common use for Mason.  I do not deny it is used for non-web 
applications.  Several people in the past pointed out that they use it 
for other types of content generation.

On 2012-03-06, Dave Rolsky wrote "I often use Mason as the templating 
language with tools that generate config files.  That said, I'm all for 
having HTML filters in the core, although I'm not actually using Mason 2 
for anything right now."


However, in my opinion, I believe that Mason is used *most of the time* 
for web content.  I do not have any real statistics to support that, 
just my experience with it, and what I read on this list.

So, I will ask once again, what percentage of the time do people use 
Mason for web versus non-web generation?


Perl claims to make easy things easy and hard things possible.  If Mason 
is used most of the time for web content generation, then it should have 
defaults set for web output with ways to override that for those _once 
in a lifetime_ type projects, like your Fedora install script.

Cheers.

Paul Wallingford

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Pedro Melo

Hi,

On Wed, May 9, 2012 at 9:16 PM, Stephen Clouse  wrote:
> Note, again, that Mason is a *general-purpose* template language, not
> necessarily a *web* template language.

True, but most of Mason use is to generate Web pages, so I would
suggest that the most common case should be correct by default.

Either way I'm happy with the changes Jon did to mention DefaultFilter
more often in the documentation. I still believe HTML escaping should
be on by default to cover the most common case ("simple things should
be easy, hard things should be possible" and all that...) but I'm
content with the current text in the docs. I'm also happy to see Jon
mentioning that Poet might default to escape HTML.

Bye,
-- 
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:m...@simplicidade.org
mailto:m...@simplicidade.org

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Jonathan Swartz

> I think the default for text outside a <%perl> block should be HTML style 
> escaping, since it seems that most Mason2 apps are web apps and most non-web 
> Mason2 apps would need some sort of Perl to generate their output (and there 
> is always the here-doc for boilerplate text).

Have to disagree, I use Mason to generate httpd.conf files all the time. In 
fact Poet will have a plugin to do just that.

But for the specific Mason interpreter that Poet creates to answer web 
requests, I am leaning towards escaping html by default, as long as there are 
various convenient ways to turn it off.


--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Stephen Clouse

On Wed, May 9, 2012 at 3:15 PM, Jonathan Swartz  wrote:

> > As you noted, escaping by default would be fine and largely a
> non-argument if Mason were explicitly a Web template language, but it's not.
>
> I'm confused Stephen, because this statement seems to contradict your
> other statement that "escaping by default never works right, because too
> many templates contain a mix of html, javascript, css, etc." and that this
> is "action at a distance" (paraphrasing).
>

*Personally*, I wouldn't want it for that exact reason, but I'm not
Mason/Poet's primary author :)


> If a thoughtful framework like django does this by default, then I'd say
> it's a pretty good bet Poet ought to as well.
>

This justification I can get behind, whether I agree with the result or not.

-- 
Stephen Clouse 
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Stephen Clouse

On Wed, May 9, 2012 at 2:30 PM, Paul Wallingford wrote:

> An example of a slow method would be a parser that breaks of the final
> output into a DOM tree and can apply escaping to the right parts.
>

That assumes that there is a DOM tree to be parsed.

An example of a method that preserves context is the CGI module.
>

Or a CGI environment.

Essentially, if you want something not escaped at all, use $m->print, such
> as for generating cron files or Apache configs.  If you want web escaping,
> use $m->html.  Embedded Javascript could be $m->javascript and so on.
>

This defeats the entire point of a template language.  If I have to call
methods to DWIM, I might as well write it all in raw Perl code.

Note, again, that Mason is a *general-purpose* template language, not
necessarily a *web* template language.

I think the default for text outside a <%perl> block should be HTML style
> escaping, since it seems that most Mason2 apps are web apps and most
> non-web Mason2 apps would need some sort of Perl to generate their output
> (and there is always the here-doc for boilerplate text).
>

One thing I've (ab)used Mason for in the past is dynamic generation of
kickstart configs for Fedora network installs.  There was a minimal amount
of Perl in an <%init> block, and the heavy lifting was handled via Mason
template inheritance.  No <%perl> blocks at all, and I shudder to even
think what that would have looked like had it been a requirement.

Actually, it probably would have looked like Template Toolkit, because that
sort of onerous requirement would have made Mason the Wrong Thing for the
project.  (And perhaps it was anyway, but I like to think the final product
was quite elegant.)

Don't assume that people have done it your way. TMTOWTDI, after all.

-- 
Stephen Clouse 
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Jonathan Swartz

> As you noted, escaping by default would be fine and largely a non-argument if 
> Mason were explicitly a Web template language, but it's not.
> 

I'm confused Stephen, because this statement seems to contradict your other 
statement that "escaping by default never works right, because too many 
templates contain a mix of html, javascript, css, etc." and that this is 
"action at a distance" (paraphrasing).

Mason is not explicitly a Web template language, but Poet *is* explicitly a web 
framework and reserves the right to tweak Mason settings appropriately. So it 
might well be reasonable to turn on HTML escaping by default for Poet.

In any case, it seems like default escaping is a reasonable feature for Mason 
to make available sans any scary caveats. Though ideally you'd be able to turn 
it on/off on a component or a directory basis, or even on a partial-component 
basis, rather than a giant on/off switch for your whole site. 

If a thoughtful framework like django does this by default, then I'd say it's a 
pretty good bet Poet ought to as well.

Jon


--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Paul Wallingford

On 5/9/2012 11:57 AM, Stephen Clouse wrote:
> On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz  > wrote:
>
> This has got to be a common web template conundrum. Anyone know how
> Rails or Django solves it?
>
>
> In Django's case, by forcing the user's hand (escaping by default, must
> be explicitly disabled through template notation).
>
> Rails apparently either does or doesn't, depending on the version.  More
> recent versions act like Django.
>
> As you noted, escaping by default would be fine and largely a
> non-argument if Mason were explicitly a Web template language, but it's not.

The problem is context.  Escaping is appropriate in certain contexts and 
not in others.  There are many ways to determine context, quite a few of 
them slow.  The speed issues of Mason2, due largely to Moose as 
discussed in the past, means you do not want to add anything that makes 
things even slower.

An example of a slow method would be a parser that breaks of the final 
output into a DOM tree and can apply escaping to the right parts.

An example of a method that preserves context is the CGI module.  From 
the CPAN page:

#!/usr/local/bin/perl -w
use CGI; # load CGI routines
$q = CGI->new;# create new CGI object
print $q->header,# create the HTTP header
   $q->start_html('hello world'), # start the HTML
   $q->h1('hello world'), # level 1 header
   $q->end_html;  # end the HTML

With a new $q->javascript or $q->raw method, the system knows whether 
the output should be escaped, and can even apply different escaping 
rules based on context.  Maybe you want to do some type of escaping to 
your Javascript that would be pathological when applied to normal HTML. 
  With hooks, the programmer could even provide their own custom 
escaping rules.

I see two issues with this, but they are not major obstacles.

First, it takes some programmer discipline to program in the new style. 
  However, since Mason2 is new and is a bit different than Mason1, Moose 
is certainly a new way of specifying objects, and the conversion from 
the "old way" of programming to the PBP way (for those people doing 
that), means that a change in style is not that drastic.

Second, while the CGI module may not be the best choice, it is a good 
example.  Adding a small bit of code to Mason2 which is optimized for 
this process can improve performance over a general purpose module, like 
CGI.  This allows the programmer to specify output context while keeping 
Mason2 content agnostic.

Essentially, if you want something not escaped at all, use $m->print, 
such as for generating cron files or Apache configs.  If you want web 
escaping, use $m->html.  Embedded Javascript could be $m->javascript and 
so on.

I think the default for text outside a <%perl> block should be HTML 
style escaping, since it seems that most Mason2 apps are web apps and 
most non-web Mason2 apps would need some sort of Perl to generate their 
output (and there is always the here-doc for boilerplate text).

Cheers.

Paul Wallingford

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Stephen Clouse

On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz  wrote:

> This has got to be a common web template conundrum. Anyone know how Rails
> or Django solves it?
>

In Django's case, by forcing the user's hand (escaping by default, must be
explicitly disabled through template notation).

Rails apparently either does or doesn't, depending on the version.  More
recent versions act like Django.

As you noted, escaping by default would be fine and largely a non-argument
if Mason were explicitly a Web template language, but it's not.

-- 
Stephen Clouse 
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-09 Thread Jonathan Swartz

> On Thu, May 3, 2012 at 7:00 AM, Jonathan Swartz  wrote:
> On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote:
> > On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz  wrote:
> >> I hear your concerns. So I'm not sure which of these you are suggesting:
> >> 1) Substitution tags should be HTML-escaped by default in Mason.
> >
> > This one would be my choice *if* Mason was used only for the web.
> 
> I still think it is difficult to est this default, given that substitution 
> tags can be used when generating javascript, JSON, css, etc. even in a web 
> environment.
> 
> And this is largely why I don't use my own module anymore :)
> 
> We wanted everything escaped, until we didn't.  Too often now templates are 
> hybrids of HTML and $something_that_escaping_screws_up.  As AJAX weaved its 
> way through the project we quickly found ourselves littering the templates 
> with |N when we could have just as easily littered them with |H, made the 
> intent of the code perfectly clear to everybody, and avoided behavior that 
> was reliant on proper configuration (the cynic in me can think of a creative 
> injection attack against a site via convincing DefaultFilter to alter its 
> settings).
> 
> Still, it's out there for those that find it useful and it's not going 
> anywhere.  I am just loathe to force it on anybody, and I suspect Jonathan 
> was thinking the same thing when excising the feature in 2.x.  Even ye olde 
> HTML::Mason didn't actually enable any filters by default.

This has got to be a common web template conundrum. Anyone know how Rails or 
Django solves it?

Jon

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-03 Thread Stephen Clouse

On Thu, May 3, 2012 at 7:00 AM, Jonathan Swartz  wrote:

> On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote:
> > On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz 
> wrote:
> >> I hear your concerns. So I'm not sure which of these you are suggesting:
> >> 1) Substitution tags should be HTML-escaped by default in Mason.
> >
> > This one would be my choice *if* Mason was used only for the web.
>
> I still think it is difficult to est this default, given that substitution
> tags can be used when generating javascript, JSON, css, etc. even in a web
> environment.

And this is largely why I don't use my own module anymore :)

We wanted everything escaped, until we didn't.  Too often now templates are
hybrids of HTML and $something_that_escaping_screws_up.  As AJAX weaved its
way through the project we quickly found ourselves littering the templates
with |N when we could have just as easily littered them with |H, made the
intent of the code perfectly clear to everybody, and avoided behavior that
was reliant on proper configuration (the cynic in me can think of a
creative injection attack against a site via convincing DefaultFilter to
alter its settings).

Still, it's out there for those that find it useful and it's not going
anywhere.  I am just loathe to force it on anybody, and I suspect Jonathan
was thinking the same thing when excising the feature in 2.x.  Even ye olde
HTML::Mason didn't actually enable any filters by default.

-- 
Stephen Clouse 
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-05-03 Thread Jonathan Swartz


On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote:

> On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz  wrote:
>> I hear your concerns. So I'm not sure which of these you are suggesting:
>> 1) Substitution tags should be HTML-escaped by default in Mason.
> 
> This one would be my choice *if* Mason was used only for the web.
> 

I still think it is difficult to est this default, given that substitution tags 
can be used when generating javascript, JSON, css, etc. even in a web 
environment.  At the very least we'd need the ability to turn the default 
on/off on a per-component or directory basis, rather than for an entire site.

> 
>> 2) DefaultFilter should be implemented and documented in core Mason, so that 
>> it doesn't require a separate plugin install.
> 
> I think this should happen either way. Maybe not move into the core,
> but at least document it, and remove the big scary CAVEAT section from
> the DefaultFilter docs (I know its not your module, but I think if you
> suggested it to Stephen he would agree).

For now, I've added DefaultFilter to the Mason documentation in multiple places.

> The previous paragraph, and the fact that we can't target components
> to specific HTTP methods (like Dave mentioned in the GET/POST
> parameters thread), argue that the Mason dispatcher is a bit too
> limited. I have mixed feelings about it. On one hand I like that its
> simple, just drop files into a directory and you are done. On the
> other, if we could add route filters for HTTP method, mime/type and/or
> others, we could tweak the defaults for each request, and provide
> saner HTTP error codes.


The Mason dispatcher will probably always be feature-light compared with other 
frameworks. But adding the ability to filter on GET/POST does seem reasonable. 
Suggestions on syntax welcome. It could be a class method, e.g.

CLASS->allow_http_methods('POST');

or perhaps Mason looks for specifically named methods, e.g.

method handle_POST {
...
}


--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Pedro Melo

On Wed, Mar 7, 2012 at 9:59 AM, Jérôme Étévé  wrote:
> On 7 March 2012 09:49, Pedro Melo  wrote:
>>> #1 is hard to do because Mason is supposed to be content-type agnostic - 
>>> usable for HTML generation but also other kinds of content generation.

(this quote is not mine, btw...)

> The default filter is defined in the interpreter instance. If you need
> to use Mason to generate any type of content, you can perfectly have
> different interpreters with different default filters. Anything wrong
> with that?

Nothing, but its not that simple.

If I have a website that generates HTML (normal pages), JSON (AJAX or
API) and XML (feeds), should I have several interpreters? And use
Plack::Builder to mount each of them on different prefixes?

Doable but ugly :)


Bye,
-- 
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:m...@simplicidade.org
mailto:m...@simplicidade.org

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Jonathan Swartz

On Mar 7, 2012, at 1:59 AM, Jérôme Étévé wrote:

> On 7 March 2012 09:49, Pedro Melo  wrote:
>>> #1 is hard to do because Mason is supposed to be content-type agnostic - 
>>> usable for HTML generation but also other kinds of content generation.
> 
> The default filter is defined in the interpreter instance. If you need
> to use Mason to generate any type of content, you can perfectly have
> different interpreters with different default filters. Anything wrong
> with that?
> 

Nothing wrong with that. It's fine to be able to set a default filter in each 
interpreter. I just don't think it can be the default for Mason out of the box.

> If users really insist on having the same Mason interpreter to render
> different types of contents, maybe the default filter should be a
> property of the component? Define it in Base.mc for your HTML
> generating component directory .. job done.

That would be nice. The problem is that the default filter affects compilation 
of the component (in particular, it affects how <% %> tags are converted to 
Perl) so it isn't a simple call you could put in the <%class> section, for 
example - it would have to be a <%flags>, and currently there is no way to 
inherit those.

But I agree, it's appealing to be able to set the default filter on a 
per-component basis, just for the components that output HTML. Would just like 
a better syntax than

   <%flags>
   default_filters => ['H']

Yuck.

Jon

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Jonathan Swartz

On Mar 6, 2012, at 5:18 PM, Paul Wallingford wrote:

> On 3/6/2012 4:11 PM, Jonathan Swartz wrote:
>> I hear your concerns. So I'm not sure which of these you are suggesting:
>> 1) Substitution tags should be HTML-escaped by default in Mason.
>> 2) DefaultFilter should be implemented and documented in core Mason, so that 
>> it doesn't require a separate plugin install.
>> 
>> #1 is hard to do because Mason is supposed to be content-type agnostic - 
>> usable for HTML generation but also other kinds of content generation.
>> 
>> #2 is more reasonable.
>> 
> 
> Here is a question to ponder.
> 
> Mason, it seems, was born originally with the idea in mind for 
> generating web pages.  Tools that are generic have their place, but so 
> do tools that specialize.  Tools that specialize can implement 
> optimizations since they do not have to consider possibilities outside 
> their specialty.  Case in point is the question of HTML filters in the 
> Mason core.
> 
> So, the question is: Has anyone used Mason for anything serious other 
> than web page generation?  If the amount of people or projects using 
> Mason that are not web based is essentially zero, it may be better to 
> add web specific features and optimizations.
> 
> I do not know the answer to this question, except my own experience, 
> which is that 100% of my Mason projects are for the web.

I use Mason to generate httpd and other conf files at work.

You're probably correct, though, that 99% of Mason's use is in generating web 
content. However, that isn't always HTML pages; I've used it to generate 
javscript and JSON results too, where HTML escaping would definitely be 
unwelcome.

So I think it's better to have a well-supported, easy way to html-escape all 
substitution tags than to put this in as the global default.

Jon


--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Jérôme Étévé

On 7 March 2012 09:49, Pedro Melo  wrote:
>> #1 is hard to do because Mason is supposed to be content-type agnostic - 
>> usable for HTML generation but also other kinds of content generation.

The default filter is defined in the interpreter instance. If you need
to use Mason to generate any type of content, you can perfectly have
different interpreters with different default filters. Anything wrong
with that?

If users really insist on having the same Mason interpreter to render
different types of contents, maybe the default filter should be a
property of the component? Define it in Base.mc for your HTML
generating component directory .. job done.

-- 
Jerome Eteve.

http://sigstp.blogspot.com/
http://twitter.com/jeteve

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Pedro Melo

Hi,

On Wed, Mar 7, 2012 at 1:18 AM, Paul Wallingford  wrote:
> So, the question is: Has anyone used Mason for anything serious other
> than web page generation?

Most current websites generate at least JSON (if they have an API) and
XML (if they have RSS/Atom feeds).

Personally I also use it to generate email messages because I send
multipart messages with both text and HTML versions, and using the
same tool helps me reuse some components on the HTML part with the
main site.

But I understand and partially agree that specialization is not a bad thing.

Bye,
-- 
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:m...@simplicidade.org
mailto:m...@simplicidade.org

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-07 Thread Pedro Melo

On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz  wrote:
> I hear your concerns. So I'm not sure which of these you are suggesting:
> 1) Substitution tags should be HTML-escaped by default in Mason.

This one would be my choice *if* Mason was used only for the web.

> 2) DefaultFilter should be implemented and documented in core Mason, so that 
> it doesn't require a separate plugin install.

I think this should happen either way. Maybe not move into the core,
but at least document it, and remove the big scary CAVEAT section from
the DefaultFilter docs (I know its not your module, but I think if you
suggested it to Stephen he would agree).

> #1 is hard to do because Mason is supposed to be content-type agnostic - 
> usable for HTML generation but also other kinds of content generation.

OTOH, Mason is mainly used to generate HTML, and I really don't like
"insecure by default" situations. I truly understand that Mason is
used to generate other types of content, I use it to generate text
parts of mail messages and JSON responses.

Understand that I'm raising the concern, I don't claim to have a
perfect answer for this. Part of me would like more magical behavior
based on the output mime/type. If Mason knows the mime/type he is
generating, he could pick saner choices for some of its defaults, like
the defaults filters for substitution tags. But this might seem a bit
too magical.

The previous paragraph, and the fact that we can't target components
to specific HTTP methods (like Dave mentioned in the GET/POST
parameters thread), argue that the Mason dispatcher is a bit too
limited. I have mixed feelings about it. On one hand I like that its
simple, just drop files into a directory and you are done. On the
other, if we could add route filters for HTTP method, mime/type and/or
others, we could tweak the defaults for each request, and provide
saner HTTP error codes.

A valid response is just don't use Mason dispatcher if you need that stuff.

Thanks,
-- 
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:m...@simplicidade.org
mailto:m...@simplicidade.org

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-06 Thread Dave Rolsky

On Tue, 6 Mar 2012, Paul Wallingford wrote:

> So, the question is: Has anyone used Mason for anything serious other
> than web page generation?  If the amount of people or projects using
> Mason that are not web based is essentially zero, it may be better to
> add web specific features and optimizations.

I often use Mason as the templating language with tools that generate 
config files.

That said, I'm all for having HTML filters in the core, although I'm not 
actually using Mason 2 for anything right now.


-dave

/*
http://VegGuide.org   http://blog.urth.org
Your guide to all that's veg  House Absolute(ly Pointless)
*/

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-06 Thread Paul Wallingford

On 3/6/2012 4:11 PM, Jonathan Swartz wrote:
> I hear your concerns. So I'm not sure which of these you are suggesting:
> 1) Substitution tags should be HTML-escaped by default in Mason.
> 2) DefaultFilter should be implemented and documented in core Mason, so that 
> it doesn't require a separate plugin install.
>
> #1 is hard to do because Mason is supposed to be content-type agnostic - 
> usable for HTML generation but also other kinds of content generation.
>
> #2 is more reasonable.
>

Here is a question to ponder.

Mason, it seems, was born originally with the idea in mind for 
generating web pages.  Tools that are generic have their place, but so 
do tools that specialize.  Tools that specialize can implement 
optimizations since they do not have to consider possibilities outside 
their specialty.  Case in point is the question of HTML filters in the 
Mason core.

So, the question is: Has anyone used Mason for anything serious other 
than web page generation?  If the amount of people or projects using 
Mason that are not web based is essentially zero, it may be better to 
add web specific features and optimizations.

I do not know the answer to this question, except my own experience, 
which is that 100% of my Mason projects are for the web.

Paul Wallingford

--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-06 Thread Shane McCarron

I would prefer number two plus strong documentation encouraging the use of
the feature. Especially for newbies.
On Mar 6, 2012 6:13 PM, "Jonathan Swartz"  wrote:

> I hear your concerns. So I'm not sure which of these you are suggesting:
> 1) Substitution tags should be HTML-escaped by default in Mason.
> 2) DefaultFilter should be implemented and documented in core Mason, so
> that it doesn't require a separate plugin install.
>
> #1 is hard to do because Mason is supposed to be content-type agnostic -
> usable for HTML generation but also other kinds of content generation.
>
> #2 is more reasonable.
>
> On Mar 5, 2012, at 4:55 AM, Jérôme Étévé wrote:
>
> > On 5 March 2012 12:33, Pedro Melo  wrote:
> >
> >> For now I'm using the DefaultFilter plugin. It saves me a lot of
> >> typing and I believe it to be worth it, so my "problem" is solved.
> >
> > I Agree with Pedro. Being able to define a default filter and
> > explicitly choose another one (or none) when needed is much better
> > from a security point of view, but also for programming convenience
> > (who said I'm lazy at typing | html ? :)).
> >
> > After all, software that uses default settings (right now I'm thinking
> > of Catalyst's default model or default view) is not so uncommon..
> >
> >
> >> --
> >> Pedro Melo
> >> @pedromelo
> >> http://www.simplicidade.org/
> >> http://about.me/melo
> >> xmpp:m...@simplicidade.org
> >> mailto:m...@simplicidade.org
> >>
> >>
> --
> >> Try before you buy = See our experts in action!
> >> The most comprehensive online learning library for Microsoft developers
> >> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> >> Metro Style Apps, more. Free future releases when you subscribe now!
> >> http://p.sf.net/sfu/learndevnow-dev2
> >> ___
> >> Mason-users mailing list
> >> Mason-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/mason-users
> >
> >
> >
> > --
> > Jerome Eteve.
> >
> > http://sigstp.blogspot.com/
> > http://twitter.com/jeteve
> >
> >
> --
> > Try before you buy = See our experts in action!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-dev2
> > ___
> > Mason-users mailing list
> > Mason-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/mason-users
>
>
>
> --
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> ___
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users
>
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-06 Thread Jonathan Swartz

I hear your concerns. So I'm not sure which of these you are suggesting:
1) Substitution tags should be HTML-escaped by default in Mason.
2) DefaultFilter should be implemented and documented in core Mason, so that it 
doesn't require a separate plugin install.

#1 is hard to do because Mason is supposed to be content-type agnostic - usable 
for HTML generation but also other kinds of content generation.

#2 is more reasonable.

On Mar 5, 2012, at 4:55 AM, Jérôme Étévé wrote:

> On 5 March 2012 12:33, Pedro Melo  wrote:
> 
>> For now I'm using the DefaultFilter plugin. It saves me a lot of
>> typing and I believe it to be worth it, so my "problem" is solved.
> 
> I Agree with Pedro. Being able to define a default filter and
> explicitly choose another one (or none) when needed is much better
> from a security point of view, but also for programming convenience
> (who said I'm lazy at typing | html ? :)).
> 
> After all, software that uses default settings (right now I'm thinking
> of Catalyst's default model or default view) is not so uncommon..
> 
> 
>> --
>> Pedro Melo
>> @pedromelo
>> http://www.simplicidade.org/
>> http://about.me/melo
>> xmpp:m...@simplicidade.org
>> mailto:m...@simplicidade.org
>> 
>> --
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> ___
>> Mason-users mailing list
>> Mason-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mason-users
> 
> 
> 
> -- 
> Jerome Eteve.
> 
> http://sigstp.blogspot.com/
> http://twitter.com/jeteve
> 
> --
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> ___
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users


--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

2012-03-05 Thread Jérôme Étévé

On 5 March 2012 12:33, Pedro Melo  wrote:

> For now I'm using the DefaultFilter plugin. It saves me a lot of
> typing and I believe it to be worth it, so my "problem" is solved.

I Agree with Pedro. Being able to define a default filter and
explicitly choose another one (or none) when needed is much better
from a security point of view, but also for programming convenience
(who said I'm lazy at typing | html ? :)).

After all, software that uses default settings (right now I'm thinking
of Catalyst's default model or default view) is not so uncommon..


> --
> Pedro Melo
> @pedromelo
> http://www.simplicidade.org/
> http://about.me/melo
> xmpp:m...@simplicidade.org
> mailto:m...@simplicidade.org
>
> --
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> ___
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users



-- 
Jerome Eteve.

http://sigstp.blogspot.com/
http://twitter.com/jeteve

--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

[Mason] Mason2: no default HTML escaping

2012-03-05 Thread Pedro Melo

Hi,

I'm starting to use Mason2 on new projects, and in the whole I think
the changes from HTML::Mason were extremely positive.

There is one aspect that bothers me: by default, substitution tags do
not perform a HTML escape filter.

I think this is a dangerous default, and forces me (let's ignore for
now the DefaultFilter plugin) to include | h on the vast majority of
my substitutions.

I was wondering why such decision was made. I read through the CAVEATS
section of the Mason::Plugin::DefaultFilter documentation, and while I
concede that a default filter configuration like Mason1
default_escape_flags is action-at-the-distance (and that is bad), I
find that the default is even worse.

For now I'm using the DefaultFilter plugin. It saves me a lot of
typing and I believe it to be worth it, so my "problem" is solved.

But I would like to understand why the decision of not doing HTML
escape was taken. My point of view is that a | raw is more obvious and
easier to grep for than the lack of a | h on the elements that
actually don't need the escaping.

Thanks in advance for you time,
-- 
Pedro Melo
@pedromelo
http://www.simplicidade.org/
http://about.me/melo
xmpp:m...@simplicidade.org
mailto:m...@simplicidade.org

--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

Re: [Mason] Mason2: no default HTML escaping

[Mason] Mason2: no default HTML escaping

25 matches

Site Navigation

Mail list logo

Footer information