use strict;
use warnings;
-use Exporter qw(import);
+use base 'Exporter';
+use Carp;
use Fcntl qw(:flock);
-our $VERSION = '1.00';
+our $VERSION = '1.01';
our @EXPORT = qw/Entity DecodeURI EncodeURI Include include PLP_END
+ EscapeHTML
AddCookie ReadFile WriteFile AutoURL Counter exit/;
sub Include ($) {
$PLP::inA = 0;
$PLP::inB = 0;
local $@;
- eval 'package PLP::Script; ' . PLP::source($PLP::file, 0, join ' ', (caller)[2,1]);
+ eval 'package PLP::Script; no warnings; ' . PLP::source($PLP::file, 0, join ' ', (caller)[2,1]);
if ($@) {
PLP::Functions::exit() if $@ =~ /\cS\cT\cO\cP/;
PLP::error($@, 1);
push @PLP::END, shift;
}
+sub EscapeHTML {
+ @_ == 1 or croak "Unsupported parameters given to EscapeHTML";
+ unshift @_, shift if defined wantarray; # dereference if not void
+ for ($_[0]) {
+ defined or next;
+ s/&/&/g;
+ s/"/"/g;
+ s/</</g;
+ s/>/>/g;
+ }
+ return $_[0];
+}
+
sub Entity (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
+ defined or next;
eval {
s/&/&/g;
s/"/"/g;
sub DecodeURI (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
+ defined or next;
eval {
tr/+/ /; # Browsers do tr/ /+/ - I don't care about RFCs, but
# I do care about real-life situations.
sub EncodeURI (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
+ defined or next;
eval {
s{([^A-Za-z0-9\-_.!~*'()/?:@\$,])}{sprintf("%%%02x", ord $1)}ge;
};
sub AddCookie ($) {
if ($PLP::Script::header{'Set-Cookie'}) {
- $PLP::Script::header{'Set-Cookie'} .= "\nSet-Cookie: $_[0]";
+ $PLP::Script::header{'Set-Cookie'} .= "\n" . $_[0];
} else {
$PLP::Script::header{'Set-Cookie'} = $_[0];
}
You should use this function instead of Perl's built-in C<END> blocks, because those do not work properly with mod_perl.
+=item EscapeHTML STRING
+
+Replaces HTML syntax characters by HTML entities, so the text can be output safely.
+You should always use this when displaying user input (or database output),
+to avoid cross-site-scripting vurnerabilities.
+
+In void context, B<changes> the value of the given variable.
+
+ <: EscapeHTML($user_input); print "<pre>$user_input</pre>"; :>
+
+In other contexts, returns the changed version.
+
+ <a href="<:= EscapeHTML($ENV{REQUEST_URI}) :>">
+
+Be warned that single quotes are not substituted, so always use double quotes for attributes.
+Also does not convert whitespace for formatted output; use Entity() for that.
+
+To escape high-bit characters as well, refer to L<HTML::Entities|HTML::Entities>.
+
=item Entity LIST
-Replaces HTML syntax characters by HTML entities, so they can be displayed literally. You should always use this when displaying user input (or database output), to avoid cross-site-scripting vurnerabilities.
+Formats given arguments for literal display in HTML documents.
+Similar to EscapeHTML(), but also preserves newlines and consecutive spaces
+using corresponding C<< <br> >> and C< > respectively.
In void context, B<changes> the values of the given variables. In other contexts, returns the changed versions.
- <: print Entity($user_input); :>
+ <: print '<p>' . Entity($user_input) . '</p>'; :>
-Be warned that this function also HTMLizes consecutive whitespace and newlines (using and <br> respectively).
-For simple escaping, use L<XML::Quote|XML::Quote>.
-To escape high-bit characters as well, use L<HTML::Entities|HTML::Entities>.
+Inside attributes, always use EscapeHTML() instead.
=item EncodeURI LIST
/ ? : @ $
This should be safe for escaping query values (as in the example above),
-but it may be a better idea to use L<URI::Escape|URI::Escape> instead.
+but otherwise it may be a better idea to use L<URI::Escape|URI::Escape> instead.
=item DecodeURI LIST