[Templates] html escaping
Jonas Liljegren
jonas@paranormal.se
Wed, 16 Aug 2000 11:15:56 +0200 (CEST)
I think that it's a very common case to escape values for inserting into
form fields or other places in html pages. In fact, with the philosophy of
TT, there should never be any HTML markup in the data generated from
programs or comming from databases, unless the data is a template in
itself.
This ruins the beuty of just being able to say
$user.name says "$user.comment"
With the filtering, it gets
[% user.name | html %] says [% user.comment | html %]
Howe do we solve this? Previous suggestions have been to accept filters
like $user.name|html, or making it a method like $user.name.html.
I come to think about making everything html filtered. Maby specifying a
filter that filers everything from the GET directive? Parameters and
embedded variables in parameters, etc should not be filtered.
Variables in URLs should be URI-escaped rather than HTML-escaped. So this
is the exception. I would suggest that any explicit filtering overrides
the specified default filtering.
Examples:
my $template = Template->new({FILTER_GET => 'html'});
<a href="http://www.domain.orb[% path | nofilter %]?[% query | urifilter
%]">$normal_HTML_filterd_string</a>
--
/ Jonas - http://jonas.liljegren.org/myself/en/index.html