NAME¶
Template::Stash::AutoEscaping - escape automatically in Template-Toolkit.
SYNOPSIS¶
use Template;
use Template::Stash::AutoEscaping;
my $tt = Template->new({
STASH => Template::Stash::AutoEscaping->new
});
METHODS¶
new¶
- die_on_unescaped
- This value, if set to a true value, causes the process to throw an
exception upon encountering a value that was not explicitly set to be
escaped or was marked as a raw value.
- escape_type
- default is HTML
- method_for_escape
- The default method to escape a value explicitly (mostly useful with
"die_on_unescaped" .
- method_for_raw
- default is raw, you can get not escaped value from [% value.raw %]
- escape_method
-
my $tt = Template->new({
STASH => Template::Stash::AutoEscaping->new({
escape_method => sub { my $text = shift; ... ; return $text }
})
});
- ignore_escape
-
my $stash = Template::Stash::AutoEscaping->new({ignore_escape => [qw(include_html include_raw my_escape_func)], ... );
You can disable auto-escape for some value or TT-Macro.
For example: include other component, for output safety html, using other escape method, etc.
class_for¶
Template::Stash::AutoEscaping->class_for("HTML") # Template::Stash::AutoEscaping::Escaped::HTML
Template::Stash::AutoEscaping->class_for("HTML" => "MyHTMLString");
escape¶
For internal use.
escape_count¶
For internal use.
get_raw_args¶
For internal use.
DESCRIPTION¶
Template::Stash::AutoEscaping is a sub class of Template::Stash, automatically
escape all HTML strings and avoid XSS vulnerability.
- $Template::Stash::AutoEscaping::ESCAPE_ARGS
-
default is 0. for example "key of hash" or "args of vmethods" are not escaped. I think this is good in most cases.
[% hash.${key} %] [% hash.item(key) %] means [% hash.${key.raw} | html %] [% hash.item(key.raw) | html %] by default.
AUTHOR¶
mala <cpan@ma.la> (original author of Template::Stash::AutoEscape)
Shlomi Fish (<http://www.shlomifish.org/>) added some
enhancements and fixes, while disclaiming all rights, as part of his work
for <http://reask.com/> and released the result as
"Template::Stash::AutoEscaping" .
SEE ALSO¶
Template, Template::Stash::EscapedHTML, Template::Stash::AutoEscape
LICENSE¶
This library is free software; you can redistribute it and/or modify it under
the same terms as Perl itself.