On Thu, 22 Dec 2005, Alex Kapranoff wrote:
Too bad I was late to send additional ESCAPE=none (as a synonym for
ESCAPE=0) patch for completeness. It was sleeping time over here
between your two mails -- this and release announcement :)
Yeah, I wondered if that would be required by default_escap
* Sam Tregar <[EMAIL PROTECTED]> [December 22 2005, 01:59]:
> > I added tests for loops and includes, they seem to succeed. Updated
> >patch below.
>
> Applied for 2.8, which is coming soon by the way!
That's nice, thanks!
Too bad I was late to send additional ESCAPE=none (as a synonym for
ESCAP
On Tue, 18 Oct 2005, Alex Kapranoff wrote:
I added tests for loops and includes, they seem to succeed. Updated
patch below.
Applied for 2.8, which is coming soon by the way!
Thanks,
-sam
---
This SF.net email is sponsored by: Splunk Inc.
hehe - then you haven't tried my version of H::T ...
I modified H::T so that it dynamically loads the appropriate
escape module -> you simply do this:
package HTML::Template::ESCAPE::HTML_JS;
use HTML::Template::ESCAPE;
$HTML::Template::ESCAPE::HTML_JS::VERSION = '1.0';
sub output {
my $self
You are right, that would suffice. But as far as I understand, making
escape modules is not trivial. Escaping is not abstracted enough inside
HTML::Template.
* Mathew Robertson <[EMAIL PROTECTED]> [October 20 2005, 08:22]:
> Is layered-escaping that is needed, or can we simply make a new escape
>
Is layered-escaping that is needed, or can we simply make a new
escape module called, say "HTML_JS"
Mathew
Alex Kapranoff wrote:
* Philip Tellis <[EMAIL PROTECTED]> [October 18 2005, 16:02]:
s/pretty hard/impossible/;
That's why there's only 1 _default_.
Oh
On 18/10/05, Philip Tellis <[EMAIL PROTECTED]> wrote:
> Oh well, "Perl is designed to make the easy jobs easy, without making
> the hard jobs impossible."
>
> I'd hoped that it was also, "... make impossible jobs pretty hard"
touché :)
A new option to allow HTML::Template to load up HTML::Parser
* Philip Tellis <[EMAIL PROTECTED]> [October 18 2005, 16:02]:
> >s/pretty hard/impossible/;
> >That's why there's only 1 _default_.
>
> Oh well, "Perl is designed to make the easy jobs easy, without making
> the hard jobs impossible."
>
> I'd hoped that it was also, "... make impossible jobs pre
Sometime Today, CF cobbled together some glyphs to say:
s/pretty hard/impossible/;
That's why there's only 1 _default_.
Oh well, "Perl is designed to make the easy jobs easy, without making
the hard jobs impossible."
I'd hoped that it was also, "... make impossible jobs pretty hard"
--
The
On 18/10/05, Philip Tellis <[EMAIL PROTECTED]> wrote:
> I want both to be on by
> default.
There can only be 1 _default_, by definition
> It makes sense therefore to do this:
>
> html_escape => 1, js_escape => 1, foo_escape => 0
> Of course, it's pretty hard to figure out which TMPL_VARs need to
Yes, I realise this now. My apologies for confusing the matter.
Mike.
- Original Message -
From: "Philip Tellis" <[EMAIL PROTECTED]>
To: "HTML::Template List"
Sent: Tuesday, October 18, 2005 9:27 PM
Subject: Re: [htmltmpl] option to turn ESCAPE=HTML on by
Sometime Today, AK cobbled together some glyphs to say:
Mike, default_escape can be set to 'URL' or even 'JS' (there's
Javascript escaping in recent HTML::Template too). That's even tested
Consider this:
If I have some code in my template that needs to be html escaped, and
other code that nee
Mike, default_escape can be set to 'URL' or even 'JS' (there's
Javascript escaping in recent HTML::Template too). That's even tested
in my patch. I use non-html escapings a lot myself and that's why I
did it this way.
* Mike <[EMAIL PROTECTED]> [October 18 2005, 15:05]:
> Sorry to be a pain here,
Sorry to be a pain here, but given that there is also a ESCAPE=URL option
(as Roger pointed out), would it be better to revert back to my original
suggestion of setting 'html_escape' (and now 'url_escape') to 1 (or ON) in
the constructor if they are to be defaults for the template file? Exactly
* Sam Tregar <[EMAIL PROTECTED]> [October 17 2005, 21:49]:
> > diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm
> > --- /tmp/HTML-Template-2.7/Template.pm Fri Jun 18 21:42:06 2004
> > +++ HTML-Template-2.7/Template.pm Mon Oct 17 14:43:36 2005
> > @@ -955,6 +955,7 @@
On Mon, 17 Oct 2005, Alex Kapranoff wrote:
> One name, one function, please :)
> default_escape => 'html'.
>
> Patch below, with tests.
Very cool.
> diff -ruN /tmp/HTML-Template-2.7/Template.pm HTML-Template-2.7/Template.pm
> --- /tmp/HTML-Template-2.7/Template.pmFri Jun 18 21:42:06 200
* Roger Burton West <[EMAIL PROTECTED]> [October 17 2005, 07:10]:
> >my $template = HTML::Template->new(filename=>'filename.tmpl',
> >html_escape=>1);
>
> Orthogonality, please:
> escape => 'html'
>
> just as we have ESCAPE=HTML in the templates.
One name, one function, please :)
default_escape
On Mon, Oct 17, 2005 at 10:08:13AM +1000, Mike wrote:
>my $template = HTML::Template->new(filename=>'filename.tmpl',
>html_escape=>1);
Orthogonality, please:
escape => 'html'
just as we have ESCAPE=HTML in the templates.
Remember that there also exists ESCAPE=URL, and I'm sure various people
quot; <[EMAIL PROTECTED]>
To:
Sent: Monday, October 17, 2005 9:46 AM
Subject: Re: [htmltmpl] option to turn ESCAPE=HTML on by default
If this is going to happen, can we make it optional, as some of us dont
want escaping.
Mathew
I'm curious about what other people think about an o
If this is going to happen, can we make it optional, as some of us dont
want escaping.
Mathew
I'm curious about what other people think about an option to
turn ESCAPE=HTML on default, to protect against cross script scripting
practices by default.
Sure, sounds reasonable to me.
--
On Fri, 14 Oct 2005, Mark Stosberg wrote:
> I'm curious about what other people think about an option to
> turn ESCAPE=HTML on default, to protect against cross script scripting
> practices by default.
Sure, sounds reasonable to me.
-sam
---
On Oct 14, 2005, at 9:37 AM, Mark Stosberg wrote:
I'm curious about what other people think about an option to
turn ESCAPE=HTML on default, to protect against cross script scripting
practices by default.
OMG YES!! 95% of all my vars have ESCAPE=HTML on them. Making this the
default would tak
On Fri, Oct 14, 2005 at 06:49:40PM +0400, Alex Kapranoff wrote:
>* Mark Stosberg <[EMAIL PROTECTED]> [October 14 2005, 18:37]:
>> I'm curious about what other people think about an option to
>> turn ESCAPE=HTML on default, to protect against cross script scripting
>> practices by default.
>All for
* Mark Stosberg <[EMAIL PROTECTED]> [October 14 2005, 18:37]:
> I'm curious about what other people think about an option to
> turn ESCAPE=HTML on default, to protect against cross script scripting
> practices by default.
>
> This seems especially valuable when the convenient "associate => $q"
>
Hello,
I'm curious about what other people think about an option to
turn ESCAPE=HTML on default, to protect against cross script scripting
practices by default.
This seems especially valuable when the convenient "associate => $q"
option is used.
Then programmers would be forcing themselves to
25 matches
Mail list logo
