use warnings;
use base 'Exporter';
+use Carp;
use Fcntl qw(:flock);
-our $VERSION = '1.00';
+our $VERSION = '1.01';
our @EXPORT = qw/Entity DecodeURI EncodeURI Include include PLP_END
+ EscapeHTML
AddCookie ReadFile WriteFile AutoURL Counter exit/;
sub Include ($) {
push @PLP::END, shift;
}
+sub EscapeHTML {
+ @_ == 1 or croak "Unsupported parameters given to EscapeHTML";
+ unshift @_, shift if defined wantarray; # dereference if not void
+ for ($_[0]) {
+ defined or next;
+ s/&/&/g;
+ s/"/"/g;
+ s/</</g;
+ s/>/>/g;
+ }
+ return $_[0];
+}
+
sub Entity (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
You should use this function instead of Perl's built-in C<END> blocks, because those do not work properly with mod_perl.
+=item EscapeHTML STRING
+
+Replaces HTML syntax characters by HTML entities, so the text can be output safely.
+You should always use this when displaying user input (or database output),
+to avoid cross-site-scripting vurnerabilities.
+
+In void context, B<changes> the value of the given variable.
+
+ <: EscapeHTML($user_input); print "<pre>$user_input</pre>"; :>
+
+In other contexts, returns the changed version.
+
+ <a href="<:= EscapeHTML($ENV{REQUEST_URI}) :>">
+
+Be warned that single quotes are not substituted, so always use double quotes for attributes.
+Also does not convert whitespace for formatted output; use Entity() for that.
+
+To escape high-bit characters as well, refer to L<HTML::Entities|HTML::Entities>.
+
=item Entity LIST
-Replaces HTML syntax characters by HTML entities, so they can be displayed literally. You should always use this when displaying user input (or database output), to avoid cross-site-scripting vurnerabilities.
+Formats given arguments for literal display in HTML documents.
+Similar to EscapeHTML(), but also preserves newlines and consecutive spaces
+using corresponding C<< <br> >> and C< > respectively.
In void context, B<changes> the values of the given variables. In other contexts, returns the changed versions.
- <: print Entity($user_input); :>
+ <: print '<p>' . Entity($user_input) . '</p>'; :>
-Be warned that this function also HTMLizes consecutive whitespace and newlines (using and <br> respectively).
-For simple escaping, use L<XML::Quote|XML::Quote>.
-To escape high-bit characters as well, use L<HTML::Entities|HTML::Entities>.
+Inside attributes, always use EscapeHTML() instead.
=item EncodeURI LIST
/ ? : @ $
This should be safe for escaping query values (as in the example above),
-but it may be a better idea to use L<URI::Escape|URI::Escape> instead.
+but otherwise it may be a better idea to use L<URI::Escape|URI::Escape> instead.
=item DecodeURI LIST
" Vim syntax file
" Language: PLP (Perl in HTML)
" Maintainer: Shiar <perl@shiar.org>
-" Last Change: 2002 May 20
+" Last Change: 2009 October 19
" Cloned From: aspperl.vim
" Author: Juerd <juerd@juerd.nl>
syn keyword perlControl PLP_END
syn keyword perlStatementInclude include Include
syn keyword perlStatementFiles ReadFile WriteFile Counter
-syn keyword perlStatementScalar Entity AutoURL DecodeURI EncodeURI
+syn keyword perlStatementScalar EscapeHTML Entity AutoURL DecodeURI EncodeURI
syn cluster PLPperlcode contains=perlStatement.*,perlFunction,perlOperator,perlVarPlain,perlVarNotInMatches,perlShellCommand,perlFloat,perlNumber,perlStringUnexpanded,perlString,perlQQ,perlControl,perlConditional,perlRepeat,perlComment,perlPOD,perlHereDoc,perlPackageDecl,perlElseIfError,perlFiledescRead,perlMatch
--- /dev/null
+use strict;
+
+use Test::More tests => 6;
+
+BEGIN { use_ok('PLP::Functions', 1.01) }
+
+# EscapeHTML
+
+is(
+ EscapeHTML(qq{\t<a test="'&'"/>\n}),
+ "\t<a test="'&'"/>\n",
+ 'EscapeHTML'
+);
+
+is(
+ EscapeHTML(undef),
+ undef,
+ 'EscapeHTML undef'
+);
+
+is(
+ eval { EscapeHTML('output', '') },
+ undef,
+ 'EscapeHTML parameters'
+);
+
+is(
+ eval { my $val = qq{ ><"\n}; EscapeHTML($val); $val },
+ " ><"\n",
+ 'EscapeHTML replace'
+);
+
+is(
+ eval { EscapeHTML('output'); return 'no error' },
+ undef,
+ 'EscapeHTML read-only modification'
+);
+