[Dancer-users] Dancer and XSS

sawyer x xsawyerx at gmail.com
Wed Apr 14 09:07:35 UTC 2010

On Wed, Apr 14, 2010 at 11:38 AM, Alexis Sukrieh <sukria at sukria.net> wrote:

> Hi John,


> > 2 - explicit html-escape in templates (con: you need this on nearly all
> variable interpolations in every template)
> This is not yet possible, but will be as soon as we add support for
> another kind of filter: "before_template", see
> http://github.com/sukria/Dancer/issues#issue/60

Also, this can be done using the template engine of your choice (if it
supports it).
Template Toolkit supports "| html" filter, which escapes your outputted

> > 3 - auto html-escape in templates (con: this breaks some complex template
> logic)

Seems like it would suck to work with it.
"<% IF var == "3&gt;" %>"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.backup-manager.org/pipermail/dancer-users/attachments/20100414/a65d60af/attachment.htm>

More information about the Dancer-users mailing list