On Mon, Oct 17, 2005 at 10:08:13AM +1000, Mike wrote:
>my $template = HTML::Template->new(filename=>'filename.tmpl',
>html_escape=>1);
Orthogonality, please:
escape => 'html'
just as we have ESCAPE=HTML in the templates.
Remember that there also exists ESCAPE=URL, and I'm sure various people
I think that would be a good idea. Perhaps have an extra parameter when
creating a new template object such as html_escape:
my $template = HTML::Template->new(filename=>'filename.tmpl',
html_escape=>1);
...to turn all escaping for that object on by default. If the programmer
wanted the exi
If this is going to happen, can we make it optional, as some of us dont
want escaping.
Mathew
I'm curious about what other people think about an option to
turn ESCAPE=HTML on default, to protect against cross script scripting
practices by default.
Sure, sounds reasonable to me.
--
