[dancer-users] Template Toolkit Sort Hash
WK
wanradt at gmail.com
Mon Sep 28 15:00:38 BST 2015
2015-09-28 16:54 GMT+03:00 Shlomi Fish <shlomif at shlomifish.org>:
> Because cross-site scripting (XSS) can be a serious security vulnerability.
> Let's suppose you put a field called "myfield" that was input from the user
> directly into the HTML:
>
> <td><% myfield %></td>
>
> Then a malicious user can put something like this in "myfield":
>
> <script type="text/javascript">alert('XSS!')</script>
>
> And this is just the beginning of malicious JS that can be inserted.
>
> For a cautionary measure, see:
>
> https://metacpan.org/release/Template-Stash-AutoEscaping
Some template-engines treat your variables as potentially dangerous
unless you don't tell otherwise. For example Text::Xslate
https://metacpan.org/pod/Text::Xslate#Smart-escaping-for-HTML-metacharacters
Wbr,
--
Kõike hääd,
G
More information about the dancer-users
mailing list