[dancer-users] Best practice to escape HTML entities in Dancer2 and TT

Andrew Beverley andy at andybev.com
Mon Feb 12 17:41:23 GMT 2018

On Sun, 11 Feb 2018 00:45:13 +0100 Lutz Gehlen <lrg_ml at gmx.net> wrote:
> On Saturday, 10.02.2018 09:16:52 Hermann Calabria wrote:
> > Why not use TT’s native FILTER capability:
> > 
> > <% somehtml FILTER html %>
> The reason is that the application has many templates with many 
> output sections that need to be filtered. To add the html filter to 
> each of these places would be both cumbersome and error-prone.

Agreed. Having taken the FILTER approach until now, I have come to the
conclusion that some will always be missed at some point in the
application's development, leading to potential XSS vulnerabilities.


More information about the dancer-users mailing list