NAME
Dancer::Plugin::EscapeHTML - Escape HTML entities to avoid XSS
vulnerabilities
SYNOPSIS
This plugin provides convenience keywords `escape_html' and
`unescape_html' which are simply quick shortcuts to `encode_entities'
and `decode_entities' from HTML::Entities.
use Dancer::Plugin::EscapeHTML;
my $encoded = escape_html($some_html);
It also provides optional automatic escaping of all HTML (see below.)
DESCRIPTION
This plugin is intended to provide a quick and simple way to ensure that
HTML passed in the tokens hashref to the template is safely escaped
(encoded), thereby helping to avoid XSS/cross-site scripting
vulnerabilities.
You can encode specific bits of data yourself using the `escape_html'
and `unescape_html' keywords, or you can enable automatic escaping of
all values passed to the template.
In a future version, it is likely that this automatic escaping can be
bypassed for certain values - probably by providing parameter
names/patterns in the configuration to indicate parameters which should
be left alone.
KEYWORDS
When the plugin is loaded, the following keywords are exported to your
app:
escape_html
Encodes HTML entities; shortcut to `encode_entities' from HTML::Entities
unescape_html
Decodes HTML entities; shortcut to `decode_entities' from HTML::Entities
Automatic HTML encoding
If desired, you can also enable automatic HTML encoding of all params
passed to templates.
To do so, enable the automatic_encoding option in your app's config -
for instance, add the following to your `config.yml':
plugins:
EscapeHTML:
automatic_escaping: 1
Now, all values passed to the template will be automatically encoded, so
you should be protected from potential XSS vulnerabilities.
Of course, this has the drawback that you cannot provide pre-prepared
HTML in template params to be used "as is". You can get round this by
using the `exclude_pattern' option to provide a pattern to match token
names which should be exempted from automatic escaping - for example:
plugins:
EscapeHTML:
automatic_escaping: 1
exclude_pattern: '_html$'
The above would exclude token names ending in `_html' from being
escaped.
SEE ALSO
Dancer
HTML::Entities
AUTHOR
David Precious, `'
LICENSE AND COPYRIGHT
Copyright 2011 David Precious.
This program is free software; you can redistribute it and/or modify it
under the terms of either: the GNU General Public License as published
by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.