NAME
Dancer::Plugin::EscapeHTML - Escape HTML entities to avoid XSS vulnerabilities
SYNOPSIS
The plugin provides convenience keywords escape_html
and unescape_html
which are simply quick shortcuts to encode_entities
and decode_entities
from HTML::Entities.
use Dancer::Plugin::EscapeHTML;
my $encoded = escape_html($some_html);
It also provides optional automatic escaping of all HTML (see below.)
DESCRIPTION
This plugin is intended to provide a quick and simple way to ensure that HTML passed in the tokens hashref to the template is safely escaped (encoded), thereby helping to avoid XSS/cross-site scripting vulnerabilities.
You can encode specific bits of data yourself using the escape_html
and unescape_html
keywords, or you can enable automatic escaping of all values passed to the template.
In a future version, it is likely that this automatic escaping can be bypassed for certain values - probably by providing parameter names/patterns in the configuration to indicate parameters which should be left alone.
KEYWORDS
When the plugin is loaded, the following keywords are exported to your app:
escape_html
Encodes HTML entities; shortcut to encode_entities
from HTML::Entities
unescape_html
Decodes HTML entities; shortcut to decode_entities
from HTML::Entities
Automatic HTML encoding
If desired, you can also enable automatic HTML encoding of all params passed to templates.
To do so, enable the automatic_encoding option in your app's config - for instance, add the following to your config.yml
:
plugins:
EscapeHTML:
automatic_escaping: 1
Now, all values passed to the template will be automatically encoded, so you should be protected from potential XSS vulnerabilities.
Of course, this has the drawback that you cannot provide pre-prepared HTML in template params to be used "as is". It is planned that a future version of this module will allow you to configure exceptions, naming params / param name patterns which should be left alone.
SEE ALSO
AUTHOR
David Precious, <davidp at preshweb.co.uk>
LICENSE AND COPYRIGHT
Copyright 2011 David Precious.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.