Skip Menu |
 

This queue is for tickets about the HTML-Template CPAN distribution.

Report information
The Basics
Id: 15061
Status: resolved
Priority: 0/
Queue: HTML-Template

People
Owner: Nobody in particular
Requestors: mark [...] summersault.com
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: 2.7
Fixed in: (no value)



Subject: wish: add option to turn escape=html on default
Download (untitled) / with headers
text/plain 264b
There should be an option to turn on "escape=html" by default, and then turn it off selectively with "escape=none" or another escaping option. This reduces vulnerability to XSS attacks and mirrors how "use strict / no strict" are recommended to be used. Mark
From: markstos [...] cpan.org
Download (untitled) / with headers
text/plain 108b
This idea was well received on the list, and patches and tests were submitted there to address the issue.
This is fixed in 2.8.
Download (untitled) / with headers
text/plain 117b
I don't know why RT reopened this - it really is fixed in 2.8, and it's better in 2.9 now that escape=none will work.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.