Skip Menu |
 

This queue is for tickets about the HTML-Template CPAN distribution.

Report information
The Basics
Id: 18274
Status: resolved
Priority: 0/
Queue: HTML-Template

People
Owner: Nobody in particular
Requestors: cpan [...] punch.net
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 2.8
Fixed in: (no value)



Subject: unable to turn off escaping if default_escape has been specified
Download (untitled) / with headers
text/plain 369b
if you have specified default_escape => "HTML" in your constructor this no longer works: <TMPL_VAR foo ESCAPE=0> The attached patch fixes this problem, as well as adding <TMPL_VAR foo ESCAPE=NONE> And allowing someone to use single quotes to escape with JS <TMPL_VAR foo ESCAPE='JS'> There is also a new test file which tests the bug fixes and new functionality.
Subject: Template.pm.diff
Download Template.pm.diff
text/x-diff 3.5k
--- Template.pm 2005-12-21 15:21:01.000000000 -0800 +++ blib/lib/HTML/Template.pm 2006-03-15 22:40:10.000000000 -0800 @@ -126,8 +126,9 @@ You'll get what you wanted no matter what value happens to be passed in for param. You can also write ESCAPE="HTML", ESCAPE='HTML' and ESCAPE='1'. -Substitute a 0 for the HTML and you turn off escaping, which is the default -anyway. + +"ESCAPE=0" and "ESCAPE=NONE" turn off escaping, which is the default +behavior. There is also the "ESCAPE=URL" option which may be used for VARs that populate a URL. It will do URL escaping, like replacing ' ' with '+' @@ -1859,18 +1860,13 @@ [Ee][Ss][Cc][Aa][Pp][Ee] \s*=\s* (?: - (?: 0 | (?:"0") | (?:'0') ) - | - ( 1 | (?:"1") | (?:'1') | - (?:[Hh][Tt][Mm][Ll]) | - (?:"[Hh][Tt][Mm][Ll]") | - (?:'[Hh][Tt][Mm][Ll]') | - (?:[Uu][Rr][Ll]) | - (?:"[Uu][Rr][Ll]") | - (?:'[Uu][Rr][Ll]') | - (?:[Jj][Ss]) | - (?:"[Jj][Ss]") | - (?:'[Jj][Ss]') | + ( + (?:["']?0["']?)| + (?:["']?1["']?)| + (?:["']?[Hh][Tt][Mm][Ll]["']?) | + (?:["']?[Uu][Rr][Ll]["']?) | + (?:["']?[Jj][Ss]["']?) | + (?:["']?[Nn][Oo][Nn][Ee]["']?) ) # $5 => ESCAPE on ) )* # allow multiple ESCAPEs @@ -1929,18 +1925,13 @@ [Ee][Ss][Cc][Aa][Pp][Ee] \s*=\s* (?: - (?: 0 | (?:"0") | (?:'0') ) - | - ( 1 | (?:"1") | (?:'1') | - (?:[Hh][Tt][Mm][Ll]) | - (?:"[Hh][Tt][Mm][Ll]") | - (?:'[Hh][Tt][Mm][Ll]') | - (?:[Uu][Rr][Ll]) | - (?:"[Uu][Rr][Ll]") | - (?:'[Uu][Rr][Ll]') | - (?:[Jj][Ss]) | - (?:"[Jj][Ss]") | - (?:'[Jj][Ss]') | + ( + (?:["']?0["']?)| + (?:["']?1["']?)| + (?:["']?[Hh][Tt][Mm][Ll]["']?) | + (?:["']?[Uu][Rr][Ll]["']?) | + (?:["']?[Jj][Ss]["']?) | + (?:["']?[Nn][Oo][Nn][Ee]["']?) ) # $15 => ESCAPE on ) )* # allow multiple ESCAPEs @@ -2023,11 +2014,16 @@ # if ESCAPE was set, push an ESCAPE op on the stack before # the variable. output will handle the actual work. + # unless of course, they have set escape=0 or escape=none if ($escape) { if ($escape =~ /^["']?[Uu][Rr][Ll]["']?$/) { push(@pstack, $URLESCAPE); - } elsif ($escape =~ /^"?[Jj][Ss]"?$/) { + } elsif ($escape =~ /^["']?[Jj][Ss]["']?$/) { push(@pstack, $JSESCAPE); + } elsif ($escape =~ /^["']?0["']?$/) { + # do nothing if escape=0 + } elsif ($escape =~ /^["']?[Nn][Oo][Nn][Ee]["']?$/ ) { + # do nothing if escape=none } else { push(@pstack, $ESCAPE); }
Subject: 04default_escape.t
Download 04default_escape.t
text/x-perl 7.6k
use Test::More tests => 98; #use Test::More qw/no_plan/; use HTML::Template; use strict; while( <DATA> ) { chomp; next if /^$/; next if /^#/; my($text,$given,$wanted) = split /\|/; my $template = HTML::Template->new( scalarref => \$text, default_escape => "HTML" ); $template->param(foo => $given); my $output = $template->output; is($output , $wanted , $text); } # use pipe as the seperator between fields. # the TMPL_VAR name should always be 'foo' # fields: TMPL_VAR|given string|escaped string __DATA__ # use default escaping <TMPL_VAR foo>|<b>this is bold\n|&lt;b&gt;this is bold\n <TMPL_VAR name=foo>|<b>this is bold\n|&lt;b&gt;this is bold\n <TMPL_VAR name='foo'>|<b>this is bold\n|&lt;b&gt;this is bold\n <TMPL_VAR NAME="foo">|<b>this is bold\n|&lt;b&gt;this is bold\n <!-- TMPL_VAR foo -->|<b>this is bold\n|&lt;b&gt;this is bold\n <!-- TMPL_VAR name=foo -->|<b>this is bold\n|&lt;b&gt;this is bold\n <!-- TMPL_VAR NAME=foo -->|<b>this is bold\n|&lt;b&gt;this is bold\n <!-- TMPL_VAR name='foo' -->|<b>this is bold\n|&lt;b&gt;this is bold\n <!-- TMPL_VAR NAME="foo" -->|<b>this is bold\n|&lt;b&gt;this is bold\n # use js escaping <TMPL_VAR foo ESCAPE=JS>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR ESCAPE=JS foo>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR ESCAPE="JS" foo>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR foo ESCAPE="JS">|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR NAME="foo" ESCAPE="JS">|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR ESCAPE="JS" NAME="foo">|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR ESCAPE='JS' foo>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR foo ESCAPE='JS'>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR NAME='foo' ESCAPE='JS'>|<b>this is bold\n|<b>this is bold\\n <TMPL_VAR ESCAPE='JS' NAME='foo'>|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR foo ESCAPE=JS -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR ESCAPE=JS foo -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR foo ESCAPE=JS -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR ESCAPE="JS" foo -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR foo ESCAPE="JS" -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR NAME="foo" ESCAPE="JS" -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR ESCAPE="JS" NAME="foo" -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR ESCAPE='JS' foo -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR foo ESCAPE='JS' -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR NAME='foo' ESCAPE='JS' -->|<b>this is bold\n|<b>this is bold\\n <!-- TMPL_VAR ESCAPE='JS' NAME='foo' -->|<b>this is bold\n|<b>this is bold\\n #use url escaping <TMPL_VAR foo ESCAPE=URL>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR ESCAPE=URL foo>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR foo ESCAPE=URL>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR ESCAPE="URL" foo>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR foo ESCAPE="URL">|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR NAME="foo" ESCAPE="URL">|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR ESCAPE="URL" NAME="foo">|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR ESCAPE='URL' foo>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR foo ESCAPE='URL'>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR NAME='foo' ESCAPE='URL'>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <TMPL_VAR ESCAPE='URL' NAME='foo'>|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR foo ESCAPE=URL -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR ESCAPE=URL foo -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR foo ESCAPE=URL -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR ESCAPE="URL" foo -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR foo ESCAPE="URL" -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR NAME="foo" ESCAPE="URL" -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR ESCAPE="URL" NAME="foo" -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR ESCAPE='URL' foo -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR foo ESCAPE='URL' -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR NAME='foo' ESCAPE='URL' -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn <!-- TMPL_VAR ESCAPE='URL' NAME='foo' -->|<b>this is bold\n|%3Cb%3Ethis%20is%20bold%5Cn # no escaping <TMPL_VAR foo ESCAPE=0>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE=0 foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE=0>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE="0" foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE="0">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR NAME="foo" ESCAPE="0">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE="0" NAME="foo">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE='0' foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE='0'>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR NAME='foo' ESCAPE='0'>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE='0' NAME='foo'>|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE=0 -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE=0 foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE=0 -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE="0" foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE="0" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR NAME="foo" ESCAPE="0" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE="0" NAME="foo" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE='0' foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE='0' -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR NAME='foo' ESCAPE='0' -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE='0' NAME='foo' -->|<b>this is bold\n|<b>this is bold\n # no escaping <TMPL_VAR foo ESCAPE=NONE>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE=NONE foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE=NONE>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE="NONE" foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE="NONE">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR NAME="foo" ESCAPE="NONE">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE="NONE" NAME="foo">|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE='NONE' foo>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR foo ESCAPE='NONE'>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR NAME='foo' ESCAPE='NONE'>|<b>this is bold\n|<b>this is bold\n <TMPL_VAR ESCAPE='NONE' NAME='foo'>|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE=NONE -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE=NONE foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE=NONE -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE="NONE" foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE="NONE" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR NAME="foo" ESCAPE="NONE" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE="NONE" NAME="foo" -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE='NONE' foo -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR foo ESCAPE='NONE' -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR NAME='foo' ESCAPE='NONE' -->|<b>this is bold\n|<b>this is bold\n <!-- TMPL_VAR ESCAPE='NONE' NAME='foo' -->|<b>this is bold\n|<b>this is bold\n #no escaping and default escaping <TMPL_VAR foo ESCAPE=0> <TMPL_VAR foo>|<b>this is bold\n|<b>this is bold\n &lt;b&gt;this is bold\n <!-- TMPL_VAR foo ESCAPE=0 --> <!-- TMPL_VAR foo -->|<b>this is bold\n|<b>this is bold\n &lt;b&gt;this is bold\n
This is fixed for v2.9, coming soon. Thanks!


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.