[dancer-users] Best practice to escape HTML entities in Dancer2 and TT
Andrew Beverley
andy at andybev.com
Mon Feb 12 17:41:23 GMT 2018
On Sun, 11 Feb 2018 00:45:13 +0100 Lutz Gehlen <lrg_ml at gmx.net> wrote:
> On Saturday, 10.02.2018 09:16:52 Hermann Calabria wrote:
> > Why not use TT’s native FILTER capability:
> >
> > <% somehtml FILTER html %>
>
> The reason is that the application has many templates with many
> output sections that need to be filtered. To add the html filter to
> each of these places would be both cumbersome and error-prone.
Agreed. Having taken the FILTER approach until now, I have come to the
conclusion that some will always be missed at some point in the
application's development, leading to potential XSS vulnerabilities.
Andy
More information about the dancer-users
mailing list