[Dancer-users] Dancer and XSS
sawyer x
xsawyerx at gmail.com
Wed Apr 14 09:07:35 UTC 2010
On Wed, Apr 14, 2010 at 11:38 AM, Alexis Sukrieh <sukria at sukria.net> wrote:
> Hi John,
>
Hey
> > 2 - explicit html-escape in templates (con: you need this on nearly all
> variable interpolations in every template)
>
> This is not yet possible, but will be as soon as we add support for
> another kind of filter: "before_template", see
> http://github.com/sukria/Dancer/issues#issue/60
>
Also, this can be done using the template engine of your choice (if it
supports it).
Template Toolkit supports "| html" filter, which escapes your outputted
variable.
> > 3 - auto html-escape in templates (con: this breaks some complex template
> logic)
>
Seems like it would suck to work with it.
"<% IF var == "3>" %>"
S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.backup-manager.org/pipermail/dancer-users/attachments/20100414/a65d60af/attachment.htm>
More information about the Dancer-users
mailing list