[dancer-users] Best practice to escape HTML entities in Dancer2 and TT

Hermann Calabria hermann at ivouch.com
Sat Feb 10 17:16:52 GMT 2018


Why not use TT’s native FILTER capability:

<% somehtml FILTER html %>

From an MVC perspective it’s probably the right place to do html escaping — not at the lib (Model) level.

You can also pipe additional filters:

<% somehtml FILTER html | html_line_break | more filters %>

Sent from my mobile. Please excuse brevity & typos.

> On Feb 10, 2018, at 8:39 AM, Lutz Gehlen <lrg_ml at gmx.net> wrote:
> 
> Hi Shlomi,
> 
> thanks for your reply. I have tried to use your module, but I am 
> unsure how to activate it in my Dancer2 application. I have added 
> the class as STASH to my template engine in config.yml:
> 
> template: "template_toolkit"
> engines:
>  template:
>    template_toolkit:
>      start_tag: '[%'
>      end_tag:   '%]'
>      ENCODING: utf8
> <snip>...</snip>
>      STASH: 'Template::Stash::AutoEscaping'
> 
> First, I got the error message that the module was not loaded, but 
> even if I load the module manually I get:
> 
> Can't use string ("Template::Stash::AutoEscaping") as a HASH ref 
> while "strict refs" in use at /usr/local/lib/x86_64-linux-
> gnu/perl/5.20.2/Template/Stash.pm line 161.
> 
> It seems like Template::Stash expects an instance of the stash class 
> (like you show in the SYNOPSIS section of your module). But how do I 
> tell Dancer2 to instantiate the class and hand it over to TT? Can 
> you help we with that?
> 
> Cheers,
> Lutz
> 
> 
>> On Saturday, 10.02.2018 13:42:01 Shlomi Fish wrote:
>> Hi Lutz,
>> 
>> On Sat, 10 Feb 2018 11:15:07 +0100
>> 
>> Lutz Gehlen <lrg_ml at gmx.net> wrote:
>>> Hello all,
>>> 
>>> in Dancer1, I have been using Dancer::Plugin::EscapeHTML to
>>> automatically escape HTML entities in server generated output. I
>>> have never tried to figure out how it does its job, but it
>>> seemed to do what I needed.
>>> 
>>> I have not found a similar plugin for Dancer2. However, this
>>> must be a widespread problem, isn't it? What is the best
>>> practice to automatically escape HTML entities with Dancer2 and
>>> Template::Toolkit?
>> 
>> perhaps see
>> https://metacpan.org/release/Template-Stash-AutoEscaping . Note
>> that it is a fork by me of a different module.
>> 
>>> Thank you and best wishes,
>>> Lutz
>>> 
>>> _______________________________________________
>>> dancer-users mailing list
>>> dancer-users at dancer.pm
>>> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
> 
> _______________________________________________
> dancer-users mailing list
> dancer-users at dancer.pm
> http://lists.preshweb.co.uk/mailman/listinfo/dancer-users


More information about the dancer-users mailing list