[dancer-users] Template Toolkit Sort Hash

Shlomi Fish shlomif at shlomifish.org
Mon Sep 28 18:31:43 BST 2015 

On Mon, 28 Sep 2015 10:04:51 -0500
Richard Reina <gatorreina at gmail.com> wrote:

> 2015-09-28 8:54 GMT-05:00 Shlomi Fish <shlomif at shlomifish.org>:
> 
> > Hi Richard,
> >
> > replying to the list. Please reply to the list next time - see the last
> > line of
> > my signature.
> >
> >
> >
> Sorry, meant to reply to the list.
> 

I see - OK.

> 
> >
> > > > >  <div class="well" style="max-height: 300px;overflow: auto;">
> > > > >                 <ul class="list-group fancy-list-items">    <!-- <ul
> > > > > class="list-group checked-list-box"> -->
> > > > >              <table style="width:100%">
> > > > >                <% FOREACH Pat IN Pats.values.sort('SNAME') -%>
> > > > >                 <tr class="list-group-item">
> > > > >                   <td width="25"><% Pat.ID %>
> > > > >                   <td width="70"><% Pat.SNAME %>
> > > > >                   <td width="75"><% Pat.ANAME %>
> > > > >                   <td width="35"><% Pat.SSN %>
> > > > >                   <td width="35"><% Pat.YR %>
> > > > >                   <td width="250"><% Pat.CHNAME %>
> > > > >                   <td width="550"><% Pat.DESCRIP %>
> > > >
> > > > 1. You're missing the closing tag - "</td>".
> > > >
> > >
> > >    Thanks for pointing out.  Can't believe I missed that.
> > >
> >
> > You're welcome. Are you validating your output? Do you have automated
> > tests to
> > do it for you?
> >
> 
> Validation is a work in progress for me. Trying to find an elegant way to
> take it out of my Dancer app but that's another story. In this particular
> case -- the case above -- all of the data is coming from a table via
> $sth->fetchall_hashref('ID'). I there a still such a vulnerability if it's
> not user input?

Well , if end users can insert data into the table somehow, then it's still
vulnerable. Furthermore, if the fields in the table contain special HTML
characters like <  , > , & , etc. then it may confuse the browser's HTML parser,
and cause the HTML to not validate. So it's a good idea to escape the fields
anyway when passing them to the output.

Regards,
	
	-- Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
NSA Factoids - http://www.shlomifish.org/humour/bits/facts/NSA/

One of my most productive days was throwing away 1,000 lines of code.
    — Ken Thompson (Attributed)

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the dancer-users mailing list