[dancer-users] Template Toolkit Sort Hash

Shlomi Fish shlomif at shlomifish.org
Mon Sep 28 14:54:28 BST 2015


Hi Richard,

replying to the list. Please reply to the list next time - see the last line of
my signature.

On Mon, 28 Sep 2015 08:32:08 -0500
Richard Reina <gatorreina at gmail.com> wrote:

> 2015-09-28 3:28 GMT-05:00 Shlomi Fish <shlomif at shlomifish.org>:
> 
> > Hi Richard,
> >
> > some comments on your code:
> >
> > On Sun, 27 Sep 2015 17:59:42 -0500
> > Richard Reina <gatorreina at gmail.com> wrote:
> >
> > > 2015-09-27 11:24 GMT-05:00 Dave Cross <dave at dave.org.uk>:
> > >
> > > >
> > > > On 27/09/15 16:34, Richard Reina wrote:
> > > >
> > > > I think I am going to try to figure out how to use an array reference
> > > >> instead. Traveling so can't try it until I get back tomorrow.
> > > >>
> > > >
> > > > You can, of course, try whatever approach you want. But my second
> > solution
> > > > will work.
> > > >
> > > > Dave...
> > > >
> > > > --
> > > >
> > >
> > > Hi Dave,
> > >
> > > This did in fact work. Here is how I ended up incorporating your
> > solution.
> > >
> > >  <div class="well" style="max-height: 300px;overflow: auto;">
> > >                 <ul class="list-group fancy-list-items">    <!-- <ul
> > > class="list-group checked-list-box"> -->
> > >              <table style="width:100%">
> > >                <% FOREACH Pat IN Pats.values.sort('SNAME') -%>
> > >                 <tr class="list-group-item">
> > >                   <td width="25"><% Pat.ID %>
> > >                   <td width="70"><% Pat.SNAME %>
> > >                   <td width="75"><% Pat.ANAME %>
> > >                   <td width="35"><% Pat.SSN %>
> > >                   <td width="35"><% Pat.YR %>
> > >                   <td width="250"><% Pat.CHNAME %>
> > >                   <td width="550"><% Pat.DESCRIP %>
> >
> > 1. You're missing the closing tag - "</td>".
> >
> 
>    Thanks for pointing out.  Can't believe I missed that.
> 

You're welcome. Are you validating your output? Do you have automated tests to
do it for you?

> 
> > 2. Are you sure you're avoiding
> > https://en.wikipedia.org/wiki/Cross-site_scripting ? Also see
> > http://perl-begin.org/tutorials/bad-elements/#code_and_markup_injection .
> >
> >
> I am not sure. Despite reading the recommended links I don't know enough to
> be sure. Why do you ask?

Because cross-site scripting (XSS) can be a serious security vulnerability.
Let's suppose you put a field called "myfield" that was input from the user
directly into the HTML:

	<td><% myfield %></td>

Then a malicious user can put something like this in "myfield":

	<script type="text/javascript">alert('XSS!')</script>

And this is just the beginning of malicious JS that can be inserted.

For a cautionary measure, see:

https://metacpan.org/release/Template-Stash-AutoEscaping

Regards,

	Shlomi Fish



-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
Optimising Code for Speed - http://shlom.in/optimise

A: I’m hungry today.
B: Well, wait until tomorrow. Maybe this feeling will pass.

Please reply to list if it's a mailing list post - http://shlom.in/reply .


More information about the dancer-users mailing list