summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
3dd6049)
Another function to encode html/xml, this time (imho) the "right" way by
only quoting reserved characters. The provided Entity() function would
often be unusable because of its overcomplete whitespace formatting.
This is a feature which I (have to) set up manually in many cases, which
seems very unfriendly for a module optimised for outputting HTML.
According to personal preferences, it only substitutes a minimal set of
entities:
- & and < (both required to prevent html interpretation)
- > (for xml or otherwise to ease document parsing)
- " (to make it usable in attribute values).
Single quotes (' or ') are left unquoted, assuming attributes are
always in double quotes (no reason to do otherwise).
Unlike Entity, it only handles a single argument, to allow for possible
options in the future (hopefully supporting a custom range of unsafe chars).
It also dies on failure (like trying to change read-only input), because
that is a user mistake which should not go unnoticed.
The name was devised to be more consistent with other environments (also
anticipating new URI encoding and decoding):
* php htmlspecialchars html_entity_decode urlrawencode urldecode
* javascript encodeURIComponent decodeURIComponent
* ruby CGI escapeHTML unescapeHTML escape unescape
- CGI::Simple::Util escapeHTML unescapeHTML escape unescape
- CGI::Util (simple_escape) escape unescape
- HTML::Mason::Escapes basic_html_escape url_escape
- HTML::Tiny entity_encode url_encode url_decode
* URI::Escape uri_escape_utf8 uri_unescape
* XML::Quote xml_quote xml_dequote
- PLP (legacy) Entity EncodeURI DecodeURI
- PLP (redesign) EscapeHTML UnescapeHTML EscapeURI UnescapeURI
HTML:
- Escape etc used nearly everywhere (so the obvious choice).
- Decode is only used by php, but uglily and inconsistently.
- Quote seems most appropriate linguistically, but only used in one minority
module.
URIs:
- Encode etc common in php and javascript.
- Escape etc used by ruby and several perl modules (including URI::Escape),
and is still familiar to javascript users
- URI used in all significant environemnts; URL only in minor modules.
bin/plp.cgi
bin/plp.fcgi
t/10-functions.t
bin/plp.cgi
bin/plp.fcgi
t/10-functions.t
t/50-cgi.t
t/91-meta.t
t/92-pod.t
t/50-cgi.t
t/91-meta.t
t/92-pod.t
use warnings;
use base 'Exporter';
use warnings;
use base 'Exporter';
our @EXPORT = qw/Entity DecodeURI EncodeURI Include include PLP_END
our @EXPORT = qw/Entity DecodeURI EncodeURI Include include PLP_END
AddCookie ReadFile WriteFile AutoURL Counter exit/;
sub Include ($) {
AddCookie ReadFile WriteFile AutoURL Counter exit/;
sub Include ($) {
+sub EscapeHTML {
+ @_ == 1 or croak "Unsupported parameters given to EscapeHTML";
+ unshift @_, shift if defined wantarray; # dereference if not void
+ for ($_[0]) {
+ defined or next;
+ s/&/&/g;
+ s/"/"/g;
+ s/</</g;
+ s/>/>/g;
+ }
+ return $_[0];
+}
+
sub Entity (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
sub Entity (@) {
my $ref = defined wantarray ? [@_] : \@_;
for (@$ref) {
You should use this function instead of Perl's built-in C<END> blocks, because those do not work properly with mod_perl.
You should use this function instead of Perl's built-in C<END> blocks, because those do not work properly with mod_perl.
+=item EscapeHTML STRING
+
+Replaces HTML syntax characters by HTML entities, so the text can be output safely.
+You should always use this when displaying user input (or database output),
+to avoid cross-site-scripting vurnerabilities.
+
+In void context, B<changes> the value of the given variable.
+
+ <: EscapeHTML($user_input); print "<pre>$user_input</pre>"; :>
+
+In other contexts, returns the changed version.
+
+ <a href="<:= EscapeHTML($ENV{REQUEST_URI}) :>">
+
+Be warned that single quotes are not substituted, so always use double quotes for attributes.
+Also does not convert whitespace for formatted output; use Entity() for that.
+
+To escape high-bit characters as well, refer to L<HTML::Entities|HTML::Entities>.
+
-Replaces HTML syntax characters by HTML entities, so they can be displayed literally. You should always use this when displaying user input (or database output), to avoid cross-site-scripting vurnerabilities.
+Formats given arguments for literal display in HTML documents.
+Similar to EscapeHTML(), but also preserves newlines and consecutive spaces
+using corresponding C<< <br> >> and C< > respectively.
In void context, B<changes> the values of the given variables. In other contexts, returns the changed versions.
In void context, B<changes> the values of the given variables. In other contexts, returns the changed versions.
- <: print Entity($user_input); :>
+ <: print '<p>' . Entity($user_input) . '</p>'; :>
-Be warned that this function also HTMLizes consecutive whitespace and newlines (using and <br> respectively).
-For simple escaping, use L<XML::Quote|XML::Quote>.
-To escape high-bit characters as well, use L<HTML::Entities|HTML::Entities>.
+Inside attributes, always use EscapeHTML() instead.
/ ? : @ $
This should be safe for escaping query values (as in the example above),
/ ? : @ $
This should be safe for escaping query values (as in the example above),
-but it may be a better idea to use L<URI::Escape|URI::Escape> instead.
+but otherwise it may be a better idea to use L<URI::Escape|URI::Escape> instead.
" Vim syntax file
" Language: PLP (Perl in HTML)
" Maintainer: Shiar <perl@shiar.org>
" Vim syntax file
" Language: PLP (Perl in HTML)
" Maintainer: Shiar <perl@shiar.org>
-" Last Change: 2002 May 20
+" Last Change: 2009 October 19
" Cloned From: aspperl.vim
" Author: Juerd <juerd@juerd.nl>
" Cloned From: aspperl.vim
" Author: Juerd <juerd@juerd.nl>
syn keyword perlControl PLP_END
syn keyword perlStatementInclude include Include
syn keyword perlStatementFiles ReadFile WriteFile Counter
syn keyword perlControl PLP_END
syn keyword perlStatementInclude include Include
syn keyword perlStatementFiles ReadFile WriteFile Counter
-syn keyword perlStatementScalar Entity AutoURL DecodeURI EncodeURI
+syn keyword perlStatementScalar EscapeHTML Entity AutoURL DecodeURI EncodeURI
syn cluster PLPperlcode contains=perlStatement.*,perlFunction,perlOperator,perlVarPlain,perlVarNotInMatches,perlShellCommand,perlFloat,perlNumber,perlStringUnexpanded,perlString,perlQQ,perlControl,perlConditional,perlRepeat,perlComment,perlPOD,perlHereDoc,perlPackageDecl,perlElseIfError,perlFiledescRead,perlMatch
syn cluster PLPperlcode contains=perlStatement.*,perlFunction,perlOperator,perlVarPlain,perlVarNotInMatches,perlShellCommand,perlFloat,perlNumber,perlStringUnexpanded,perlString,perlQQ,perlControl,perlConditional,perlRepeat,perlComment,perlPOD,perlHereDoc,perlPackageDecl,perlElseIfError,perlFiledescRead,perlMatch
BEGIN { use_ok('PLP::Functions') }
BEGIN { use_ok('PLP::Functions') }
is(
Entity(q{<a test="'&'"/>}),
"<a test="'&'"/>",
is(
Entity(q{<a test="'&'"/>}),
"<a test="'&'"/>",
--- /dev/null
+use strict;
+
+use Test::More tests => 6;
+
+BEGIN { use_ok('PLP::Functions', 1.01) }
+
+# EscapeHTML
+
+is(
+ EscapeHTML(qq{\t<a test="'&'"/>\n}),
+ "\t<a test="'&'"/>\n",
+ 'EscapeHTML'
+);
+
+is(
+ EscapeHTML(undef),
+ undef,
+ 'EscapeHTML undef'
+);
+
+is(
+ eval { EscapeHTML('output', '') },
+ undef,
+ 'EscapeHTML parameters'
+);
+
+is(
+ eval { my $val = qq{ ><"\n}; EscapeHTML($val); $val },
+ " ><"\n",
+ 'EscapeHTML replace'
+);
+
+is(
+ eval { EscapeHTML('output'); return 'no error' },
+ undef,
+ 'EscapeHTML read-only modification'
+);
+