Re: [Mason] Mason2: no default HTML escaping
On Wed, 9 May 2012, Paul Wallingford wrote: The problem is context. Escaping is appropriate in certain contexts and not in others. There are many ways to determine context, quite a few of them slow. The speed issues of Mason2, due largely to Moose as discussed in the past, means you do not want to add anything that makes things even slower. Are you talking about a speed issue besides startup speed? Honestly, I'd surprised if Mason 2 was significantly slower than Mason 1 at run time. Mason 2 is noticeably *faster* than Mason 1 in terms of raw component call speed. This is because Mason 1 component calls did a bunch of custom stack maintenance and so on, whereas in Mason 2 it is pretty much component_class-new(@args)-run(). Mason 2 is probably slower to startup than Mason 1, like anything that uses Moose. I can't get real worked up over this. I use Moose for all sorts of stuff and the startup speed never seems to bother me. I guess I'm not running lots of tiny scripts real frequently? Need to rerun and publish these benchmarks. Jon -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz swa...@pobox.com wrote: This has got to be a common web template conundrum. Anyone know how Rails or Django solves it? In Django's case, by forcing the user's hand (escaping by default, must be explicitly disabled through template notation). Rails apparently either does or doesn't, depending on the version. More recent versions act like Django. As you noted, escaping by default would be fine and largely a non-argument if Mason were explicitly a Web template language, but it's not. -- Stephen Clouse stephenclo...@gmail.com -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On 5/9/2012 11:57 AM, Stephen Clouse wrote: On Wed, May 9, 2012 at 11:39 AM, Jonathan Swartz swa...@pobox.com mailto:swa...@pobox.com wrote: This has got to be a common web template conundrum. Anyone know how Rails or Django solves it? In Django's case, by forcing the user's hand (escaping by default, must be explicitly disabled through template notation). Rails apparently either does or doesn't, depending on the version. More recent versions act like Django. As you noted, escaping by default would be fine and largely a non-argument if Mason were explicitly a Web template language, but it's not. The problem is context. Escaping is appropriate in certain contexts and not in others. There are many ways to determine context, quite a few of them slow. The speed issues of Mason2, due largely to Moose as discussed in the past, means you do not want to add anything that makes things even slower. An example of a slow method would be a parser that breaks of the final output into a DOM tree and can apply escaping to the right parts. An example of a method that preserves context is the CGI module. From the CPAN page: #!/usr/local/bin/perl -w use CGI; # load CGI routines $q = CGI-new;# create new CGI object print $q-header,# create the HTTP header $q-start_html('hello world'), # start the HTML $q-h1('hello world'), # level 1 header $q-end_html; # end the HTML With a new $q-javascript or $q-raw method, the system knows whether the output should be escaped, and can even apply different escaping rules based on context. Maybe you want to do some type of escaping to your Javascript that would be pathological when applied to normal HTML. With hooks, the programmer could even provide their own custom escaping rules. I see two issues with this, but they are not major obstacles. First, it takes some programmer discipline to program in the new style. However, since Mason2 is new and is a bit different than Mason1, Moose is certainly a new way of specifying objects, and the conversion from the old way of programming to the PBP way (for those people doing that), means that a change in style is not that drastic. Second, while the CGI module may not be the best choice, it is a good example. Adding a small bit of code to Mason2 which is optimized for this process can improve performance over a general purpose module, like CGI. This allows the programmer to specify output context while keeping Mason2 content agnostic. Essentially, if you want something not escaped at all, use $m-print, such as for generating cron files or Apache configs. If you want web escaping, use $m-html. Embedded Javascript could be $m-javascript and so on. I think the default for text outside a %perl block should be HTML style escaping, since it seems that most Mason2 apps are web apps and most non-web Mason2 apps would need some sort of Perl to generate their output (and there is always the here-doc for boilerplate text). Cheers. Paul Wallingford -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
As you noted, escaping by default would be fine and largely a non-argument if Mason were explicitly a Web template language, but it's not. I'm confused Stephen, because this statement seems to contradict your other statement that escaping by default never works right, because too many templates contain a mix of html, javascript, css, etc. and that this is action at a distance (paraphrasing). Mason is not explicitly a Web template language, but Poet *is* explicitly a web framework and reserves the right to tweak Mason settings appropriately. So it might well be reasonable to turn on HTML escaping by default for Poet. In any case, it seems like default escaping is a reasonable feature for Mason to make available sans any scary caveats. Though ideally you'd be able to turn it on/off on a component or a directory basis, or even on a partial-component basis, rather than a giant on/off switch for your whole site. If a thoughtful framework like django does this by default, then I'd say it's a pretty good bet Poet ought to as well. Jon -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Wed, May 9, 2012 at 2:30 PM, Paul Wallingford p...@cybergestalt.netwrote: An example of a slow method would be a parser that breaks of the final output into a DOM tree and can apply escaping to the right parts. That assumes that there is a DOM tree to be parsed. An example of a method that preserves context is the CGI module. Or a CGI environment. Essentially, if you want something not escaped at all, use $m-print, such as for generating cron files or Apache configs. If you want web escaping, use $m-html. Embedded Javascript could be $m-javascript and so on. This defeats the entire point of a template language. If I have to call methods to DWIM, I might as well write it all in raw Perl code. Note, again, that Mason is a *general-purpose* template language, not necessarily a *web* template language. I think the default for text outside a %perl block should be HTML style escaping, since it seems that most Mason2 apps are web apps and most non-web Mason2 apps would need some sort of Perl to generate their output (and there is always the here-doc for boilerplate text). One thing I've (ab)used Mason for in the past is dynamic generation of kickstart configs for Fedora network installs. There was a minimal amount of Perl in an %init block, and the heavy lifting was handled via Mason template inheritance. No %perl blocks at all, and I shudder to even think what that would have looked like had it been a requirement. Actually, it probably would have looked like Template Toolkit, because that sort of onerous requirement would have made Mason the Wrong Thing for the project. (And perhaps it was anyway, but I like to think the final product was quite elegant.) Don't assume that people have done it your way. TMTOWTDI, after all. -- Stephen Clouse stephenclo...@gmail.com -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Wed, May 9, 2012 at 3:15 PM, Jonathan Swartz swa...@pobox.com wrote: As you noted, escaping by default would be fine and largely a non-argument if Mason were explicitly a Web template language, but it's not. I'm confused Stephen, because this statement seems to contradict your other statement that escaping by default never works right, because too many templates contain a mix of html, javascript, css, etc. and that this is action at a distance (paraphrasing). *Personally*, I wouldn't want it for that exact reason, but I'm not Mason/Poet's primary author :) If a thoughtful framework like django does this by default, then I'd say it's a pretty good bet Poet ought to as well. This justification I can get behind, whether I agree with the result or not. -- Stephen Clouse stephenclo...@gmail.com -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
I think the default for text outside a %perl block should be HTML style escaping, since it seems that most Mason2 apps are web apps and most non-web Mason2 apps would need some sort of Perl to generate their output (and there is always the here-doc for boilerplate text). Have to disagree, I use Mason to generate httpd.conf files all the time. In fact Poet will have a plugin to do just that. But for the specific Mason interpreter that Poet creates to answer web requests, I am leaning towards escaping html by default, as long as there are various convenient ways to turn it off. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
Hi, On Wed, May 9, 2012 at 9:16 PM, Stephen Clouse stephenclo...@gmail.com wrote: Note, again, that Mason is a *general-purpose* template language, not necessarily a *web* template language. True, but most of Mason use is to generate Web pages, so I would suggest that the most common case should be correct by default. Either way I'm happy with the changes Jon did to mention DefaultFilter more often in the documentation. I still believe HTML escaping should be on by default to cover the most common case (simple things should be easy, hard things should be possible and all that...) but I'm content with the current text in the docs. I'm also happy to see Jon mentioning that Poet might default to escape HTML. Bye, -- Pedro Melo @pedromelo http://www.simplicidade.org/ http://about.me/melo xmpp:m...@simplicidade.org mailto:m...@simplicidade.org -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On 5/9/2012 1:16 PM, Stephen Clouse wrote: Don't assume that people have done it your way. TMTOWTDI, after all. I don't. I have asked before what people though regarding the most common use for Mason. I do not deny it is used for non-web applications. Several people in the past pointed out that they use it for other types of content generation. On 2012-03-06, Dave Rolsky wrote I often use Mason as the templating language with tools that generate config files. That said, I'm all for having HTML filters in the core, although I'm not actually using Mason 2 for anything right now. However, in my opinion, I believe that Mason is used *most of the time* for web content. I do not have any real statistics to support that, just my experience with it, and what I read on this list. So, I will ask once again, what percentage of the time do people use Mason for web versus non-web generation? Perl claims to make easy things easy and hard things possible. If Mason is used most of the time for web content generation, then it should have defaults set for web output with ways to override that for those _once in a lifetime_ type projects, like your Fedora install script. Cheers. Paul Wallingford -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Mar 7, 2012, at 1:49 AM, Pedro Melo wrote: On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz swa...@pobox.com wrote: I hear your concerns. So I'm not sure which of these you are suggesting: 1) Substitution tags should be HTML-escaped by default in Mason. This one would be my choice *if* Mason was used only for the web. I still think it is difficult to est this default, given that substitution tags can be used when generating javascript, JSON, css, etc. even in a web environment. At the very least we'd need the ability to turn the default on/off on a per-component or directory basis, rather than for an entire site. 2) DefaultFilter should be implemented and documented in core Mason, so that it doesn't require a separate plugin install. I think this should happen either way. Maybe not move into the core, but at least document it, and remove the big scary CAVEAT section from the DefaultFilter docs (I know its not your module, but I think if you suggested it to Stephen he would agree). For now, I've added DefaultFilter to the Mason documentation in multiple places. The previous paragraph, and the fact that we can't target components to specific HTTP methods (like Dave mentioned in the GET/POST parameters thread), argue that the Mason dispatcher is a bit too limited. I have mixed feelings about it. On one hand I like that its simple, just drop files into a directory and you are done. On the other, if we could add route filters for HTTP method, mime/type and/or others, we could tweak the defaults for each request, and provide saner HTTP error codes. The Mason dispatcher will probably always be feature-light compared with other frameworks. But adding the ability to filter on GET/POST does seem reasonable. Suggestions on syntax welcome. It could be a class method, e.g. CLASS-allow_http_methods('POST'); or perhaps Mason looks for specifically named methods, e.g. method handle_POST { ... } -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Wed, Mar 7, 2012 at 12:11 AM, Jonathan Swartz swa...@pobox.com wrote: I hear your concerns. So I'm not sure which of these you are suggesting: 1) Substitution tags should be HTML-escaped by default in Mason. This one would be my choice *if* Mason was used only for the web. 2) DefaultFilter should be implemented and documented in core Mason, so that it doesn't require a separate plugin install. I think this should happen either way. Maybe not move into the core, but at least document it, and remove the big scary CAVEAT section from the DefaultFilter docs (I know its not your module, but I think if you suggested it to Stephen he would agree). #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. braindump OTOH, Mason is mainly used to generate HTML, and I really don't like insecure by default situations. I truly understand that Mason is used to generate other types of content, I use it to generate text parts of mail messages and JSON responses. Understand that I'm raising the concern, I don't claim to have a perfect answer for this. Part of me would like more magical behavior based on the output mime/type. If Mason knows the mime/type he is generating, he could pick saner choices for some of its defaults, like the defaults filters for substitution tags. But this might seem a bit too magical. The previous paragraph, and the fact that we can't target components to specific HTTP methods (like Dave mentioned in the GET/POST parameters thread), argue that the Mason dispatcher is a bit too limited. I have mixed feelings about it. On one hand I like that its simple, just drop files into a directory and you are done. On the other, if we could add route filters for HTTP method, mime/type and/or others, we could tweak the defaults for each request, and provide saner HTTP error codes. A valid response is just don't use Mason dispatcher if you need that stuff. /braindump Thanks, -- Pedro Melo @pedromelo http://www.simplicidade.org/ http://about.me/melo xmpp:m...@simplicidade.org mailto:m...@simplicidade.org -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On 7 March 2012 09:49, Pedro Melo m...@simplicidade.org wrote: #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. The default filter is defined in the interpreter instance. If you need to use Mason to generate any type of content, you can perfectly have different interpreters with different default filters. Anything wrong with that? If users really insist on having the same Mason interpreter to render different types of contents, maybe the default filter should be a property of the component? Define it in Base.mc for your HTML generating component directory .. job done. -- Jerome Eteve. http://sigstp.blogspot.com/ http://twitter.com/jeteve -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Mar 6, 2012, at 5:18 PM, Paul Wallingford wrote: On 3/6/2012 4:11 PM, Jonathan Swartz wrote: I hear your concerns. So I'm not sure which of these you are suggesting: 1) Substitution tags should be HTML-escaped by default in Mason. 2) DefaultFilter should be implemented and documented in core Mason, so that it doesn't require a separate plugin install. #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. #2 is more reasonable. Here is a question to ponder. Mason, it seems, was born originally with the idea in mind for generating web pages. Tools that are generic have their place, but so do tools that specialize. Tools that specialize can implement optimizations since they do not have to consider possibilities outside their specialty. Case in point is the question of HTML filters in the Mason core. So, the question is: Has anyone used Mason for anything serious other than web page generation? If the amount of people or projects using Mason that are not web based is essentially zero, it may be better to add web specific features and optimizations. I do not know the answer to this question, except my own experience, which is that 100% of my Mason projects are for the web. I use Mason to generate httpd and other conf files at work. You're probably correct, though, that 99% of Mason's use is in generating web content. However, that isn't always HTML pages; I've used it to generate javscript and JSON results too, where HTML escaping would definitely be unwelcome. So I think it's better to have a well-supported, easy way to html-escape all substitution tags than to put this in as the global default. Jon -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Mar 7, 2012, at 1:59 AM, Jérôme Étévé wrote: On 7 March 2012 09:49, Pedro Melo m...@simplicidade.org wrote: #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. The default filter is defined in the interpreter instance. If you need to use Mason to generate any type of content, you can perfectly have different interpreters with different default filters. Anything wrong with that? Nothing wrong with that. It's fine to be able to set a default filter in each interpreter. I just don't think it can be the default for Mason out of the box. If users really insist on having the same Mason interpreter to render different types of contents, maybe the default filter should be a property of the component? Define it in Base.mc for your HTML generating component directory .. job done. That would be nice. The problem is that the default filter affects compilation of the component (in particular, it affects how % % tags are converted to Perl) so it isn't a simple call you could put in the %class section, for example - it would have to be a %flags, and currently there is no way to inherit those. But I agree, it's appealing to be able to set the default filter on a per-component basis, just for the components that output HTML. Would just like a better syntax than %flags default_filters = ['H'] /%flags Yuck. Jon -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Wed, Mar 7, 2012 at 9:59 AM, Jérôme Étévé jerome.et...@gmail.com wrote: On 7 March 2012 09:49, Pedro Melo m...@simplicidade.org wrote: #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. (this quote is not mine, btw...) The default filter is defined in the interpreter instance. If you need to use Mason to generate any type of content, you can perfectly have different interpreters with different default filters. Anything wrong with that? Nothing, but its not that simple. If I have a website that generates HTML (normal pages), JSON (AJAX or API) and XML (feeds), should I have several interpreters? And use Plack::Builder to mount each of them on different prefixes? Doable but ugly :) Bye, -- Pedro Melo @pedromelo http://www.simplicidade.org/ http://about.me/melo xmpp:m...@simplicidade.org mailto:m...@simplicidade.org -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
I hear your concerns. So I'm not sure which of these you are suggesting: 1) Substitution tags should be HTML-escaped by default in Mason. 2) DefaultFilter should be implemented and documented in core Mason, so that it doesn't require a separate plugin install. #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. #2 is more reasonable. On Mar 5, 2012, at 4:55 AM, Jérôme Étévé wrote: On 5 March 2012 12:33, Pedro Melo m...@simplicidade.org wrote: For now I'm using the DefaultFilter plugin. It saves me a lot of typing and I believe it to be worth it, so my problem is solved. I Agree with Pedro. Being able to define a default filter and explicitly choose another one (or none) when needed is much better from a security point of view, but also for programming convenience (who said I'm lazy at typing | html ? :)). After all, software that uses default settings (right now I'm thinking of Catalyst's default model or default view) is not so uncommon.. -- Pedro Melo @pedromelo http://www.simplicidade.org/ http://about.me/melo xmpp:m...@simplicidade.org mailto:m...@simplicidade.org -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users -- Jerome Eteve. http://sigstp.blogspot.com/ http://twitter.com/jeteve -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On 3/6/2012 4:11 PM, Jonathan Swartz wrote: I hear your concerns. So I'm not sure which of these you are suggesting: 1) Substitution tags should be HTML-escaped by default in Mason. 2) DefaultFilter should be implemented and documented in core Mason, so that it doesn't require a separate plugin install. #1 is hard to do because Mason is supposed to be content-type agnostic - usable for HTML generation but also other kinds of content generation. #2 is more reasonable. Here is a question to ponder. Mason, it seems, was born originally with the idea in mind for generating web pages. Tools that are generic have their place, but so do tools that specialize. Tools that specialize can implement optimizations since they do not have to consider possibilities outside their specialty. Case in point is the question of HTML filters in the Mason core. So, the question is: Has anyone used Mason for anything serious other than web page generation? If the amount of people or projects using Mason that are not web based is essentially zero, it may be better to add web specific features and optimizations. I do not know the answer to this question, except my own experience, which is that 100% of my Mason projects are for the web. Paul Wallingford -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
Re: [Mason] Mason2: no default HTML escaping
On Tue, 6 Mar 2012, Paul Wallingford wrote: So, the question is: Has anyone used Mason for anything serious other than web page generation? If the amount of people or projects using Mason that are not web based is essentially zero, it may be better to add web specific features and optimizations. I often use Mason as the templating language with tools that generate config files. That said, I'm all for having HTML filters in the core, although I'm not actually using Mason 2 for anything right now. -dave /* http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) */ -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users