[dancer-users] Best practice to escape HTML entities in Dancer2 and TT

Lutz Gehlen lrg_ml at gmx.net
Sat Feb 10 23:45:13 GMT 2018


Hi Hermann,

On Saturday, 10.02.2018 09:16:52 Hermann Calabria wrote:
> Why not use TT’s native FILTER capability:
> 
> <% somehtml FILTER html %>

The reason is that the application has many templates with many 
output sections that need to be filtered. To add the html filter to 
each of these places would be both cumbersome and error-prone. I 
think it would be safer and more elegant to use a more centralized 
approach.
 
> From an MVC perspective it’s probably the right place to do html
> escaping — not at the lib (Model) level.

I agree that the View level is the right place to do the escaping 
instead of e.g. the Model level. However, a solution along the lines 
of Shlomi's suggestion, which modifies the behavior of 
Template::Toolkit, _is_ at the View level.

Best wishes,
Lutz


> > On Feb 10, 2018, at 8:39 AM, Lutz Gehlen <lrg_ml at gmx.net> wrote:
> > 
> > Hi Shlomi,
> > 
> > thanks for your reply. I have tried to use your module, but I am
> > unsure how to activate it in my Dancer2 application. I have
> > added
> > the class as STASH to my template engine in config.yml:
> > 
> > template: "template_toolkit"
> > 
> > engines:
> >  template:
> >    template_toolkit:
> >      start_tag: '[%'
> >      end_tag:   '%]'
> >      ENCODING: utf8
> > 
> > <snip>...</snip>
> > 
> >      STASH: 'Template::Stash::AutoEscaping'
> > 
> > First, I got the error message that the module was not loaded,
> > but even if I load the module manually I get:
> > 
> > Can't use string ("Template::Stash::AutoEscaping") as a HASH ref
> > while "strict refs" in use at /usr/local/lib/x86_64-linux-
> > gnu/perl/5.20.2/Template/Stash.pm line 161.
> > 
> > It seems like Template::Stash expects an instance of the stash
> > class (like you show in the SYNOPSIS section of your module).
> > But how do I tell Dancer2 to instantiate the class and hand it
> > over to TT? Can you help we with that?
> > 
> > Cheers,
> > Lutz
> > 
> >> On Saturday, 10.02.2018 13:42:01 Shlomi Fish wrote:
> >> Hi Lutz,
> >> 
> >> On Sat, 10 Feb 2018 11:15:07 +0100
> >> 
> >> Lutz Gehlen <lrg_ml at gmx.net> wrote:
> >>> Hello all,
> >>> 
> >>> in Dancer1, I have been using Dancer::Plugin::EscapeHTML to
> >>> automatically escape HTML entities in server generated output.
> >>> I
> >>> have never tried to figure out how it does its job, but it
> >>> seemed to do what I needed.
> >>> 
> >>> I have not found a similar plugin for Dancer2. However, this
> >>> must be a widespread problem, isn't it? What is the best
> >>> practice to automatically escape HTML entities with Dancer2
> >>> and
> >>> Template::Toolkit?
> >> 
> >> perhaps see
> >> https://metacpan.org/release/Template-Stash-AutoEscaping . Note
> >> that it is a fork by me of a different module.
> >> 
> >>> Thank you and best wishes,
> >>> Lutz



More information about the dancer-users mailing list