Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Easy HTML escaping/encoding for Dancer apps to help prevent XSS vulnerabilities

tag: 0.04

Fetching latest commit…

Cannot retrieve the latest commit at this time

README
NAME
    Dancer::Plugin::EscapeHTML - Escape HTML entities to avoid XSS
    vulnerabilities

SYNOPSIS
    This plugin provides convenience keywords `escape_html' and
    `unescape_html' which are simply quick shortcuts to `encode_entities'
    and `decode_entities' from HTML::Entities.

        use Dancer::Plugin::EscapeHTML;

        my $encoded = escape_html($some_html);

    It also provides optional automatic escaping of all HTML (see below.)

DESCRIPTION
    This plugin is intended to provide a quick and simple way to ensure that
    HTML passed in the tokens hashref to the template is safely escaped
    (encoded), thereby helping to avoid XSS/cross-site scripting
    vulnerabilities.

    You can encode specific bits of data yourself using the `escape_html'
    and `unescape_html' keywords, or you can enable automatic escaping of
    all values passed to the template.

    In a future version, it is likely that this automatic escaping can be
    bypassed for certain values - probably by providing parameter
    names/patterns in the configuration to indicate parameters which should
    be left alone.

KEYWORDS
    When the plugin is loaded, the following keywords are exported to your
    app:

  escape_html
    Encodes HTML entities; shortcut to `encode_entities' from HTML::Entities

  unescape_html
    Decodes HTML entities; shortcut to `decode_entities' from HTML::Entities

Automatic HTML encoding
    If desired, you can also enable automatic HTML encoding of all params
    passed to templates.

    To do so, enable the automatic_encoding option in your app's config -
    for instance, add the following to your `config.yml':

        plugins:
            EscapeHTML:
                automatic_escaping: 1

    Now, all values passed to the template will be automatically encoded, so
    you should be protected from potential XSS vulnerabilities.

    Of course, this has the drawback that you cannot provide pre-prepared
    HTML in template params to be used "as is". You can get round this by
    using the `exclude_pattern' option to provide a pattern to match token
    names which should be exempted from automatic escaping - for example:

        plugins:
            EscapeHTML:
                automatic_escaping: 1
                exclude_pattern: '_html$'

    The above would exclude token names ending in `_html' from being
    escaped.

SEE ALSO
    Dancer

    HTML::Entities

AUTHOR
    David Precious, `<davidp at preshweb.co.uk>'

LICENSE AND COPYRIGHT
    Copyright 2011 David Precious.

    This program is free software; you can redistribute it and/or modify it
    under the terms of either: the GNU General Public License as published
    by the Free Software Foundation; or the Artistic License.

    See http://dev.perl.org/licenses/ for more information.

Something went wrong with that request. Please try again.