[dancer-users] Template Toolkit Sort Hash

WK wanradt at gmail.com
Mon Sep 28 15:00:38 BST 2015

2015-09-28 16:54 GMT+03:00 Shlomi Fish <shlomif at shlomifish.org>:

> Because cross-site scripting (XSS) can be a serious security vulnerability.
> Let's suppose you put a field called "myfield" that was input from the user
> directly into the HTML:
>         <td><% myfield %></td>
> Then a malicious user can put something like this in "myfield":
>         <script type="text/javascript">alert('XSS!')</script>
> And this is just the beginning of malicious JS that can be inserted.
> For a cautionary measure, see:
> https://metacpan.org/release/Template-Stash-AutoEscaping

Some template-engines treat your variables as potentially dangerous
unless you don't tell otherwise. For example Text::Xslate


Kõike hääd,


More information about the dancer-users mailing list