Scroll to navigation

Template::Stash::AutoEscaping(3pm) User Contributed Perl Documentation Template::Stash::AutoEscaping(3pm)

NAME

Template::Stash::AutoEscaping - escape automatically in Template-Toolkit.

SYNOPSIS

  use Template;
  use Template::Stash::AutoEscaping;
  my $tt = Template->new({
    STASH => Template::Stash::AutoEscaping->new
  });

METHODS

new

die_on_unescaped
This value, if set to a true value, causes the process to throw an exception upon encountering a value that was not explicitly set to be escaped or was marked as a raw value.
escape_type
default is HTML
method_for_escape
The default method to escape a value explicitly (mostly useful with "die_on_unescaped" .
method_for_raw
default is raw, you can get not escaped value from [% value.raw %]
escape_method
  my $tt = Template->new({
    STASH => Template::Stash::AutoEscaping->new({
        escape_method => sub { my $text = shift; ... ; return $text }
    })
  });
ignore_escape
  my $stash = Template::Stash::AutoEscaping->new({ignore_escape => [qw(include_html include_raw my_escape_func)], ... );

  You can disable auto-escape for some value or TT-Macro.
  For example: include other component, for output safety html, using other escape method, etc.

class_for

    Template::Stash::AutoEscaping->class_for("HTML") # Template::Stash::AutoEscaping::Escaped::HTML
    Template::Stash::AutoEscaping->class_for("HTML" => "MyHTMLString");

escape

For internal use.

escape_count

For internal use.

get

For internal use.

get_raw_args

For internal use.

DESCRIPTION

Template::Stash::AutoEscaping is a sub class of Template::Stash, automatically escape all HTML strings and avoid XSS vulnerability.

CONFIGURE

$Template::Stash::AutoEscaping::ESCAPE_ARGS
 default is 0. for example "key of hash" or "args of vmethods" are not escaped. I think this is good in most cases.
 [% hash.${key} %] [% hash.item(key) %] means [% hash.${key.raw} | html %] [% hash.item(key.raw) | html %] by default.

AUTHOR

mala <cpan@ma.la> (original author of Template::Stash::AutoEscape)

Shlomi Fish (<http://www.shlomifish.org/>) added some enhancements and fixes, while disclaiming all rights, as part of his work for <http://reask.com/> and released the result as "Template::Stash::AutoEscaping" .

SEE ALSO

Template, Template::Stash::EscapedHTML, Template::Stash::AutoEscape

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
2016-02-04 perl v5.22.1