INTRODUCTION
When your application templates are just pure HTML5 files, it becomes easy for the front-end developers to work with almost no coordination with the backend team. Even if you buy a "website theme" from one of those online markets, which of course wasn't developed to your application, it is very easy to slice it into 'layout', 'header', 'footer' and 'content' template files.
HTML vs TEXT
The distinction between text and HTML is very important, its the cause of the XSS vulnerability. This vulnerability got so common on the web because almost all template engines are designed to process text. These engines can be used to render a config file, a christmas letter, and also HTML.
Sure, all of those templating engines also provides a way to properly HTML-escape a value, usualy in the form of filters. But being a text templating engine they can't just HTML-escape values by default. The reality when using that kind of engine is that developers can (and will) forget to add the proper filters, or just don't know about this security vulnerability at all.
Plift is a template engine just for HTML, implemented on top of libxml. Which means that for rendering text, we call "createTextNode" in XML::LibXML::Document, for attributes, "setAttribute" in XML::LibXML::Document and for rendering the final document we call "toStringHTML" in XML::LibXML::Document. Libxml takes care of the proper escaping.
Does it mean I'm immune to XSS vulnerability? No, you can still tell Plift to render unescaped HTML, but its not the default.
jQuery-like API
Plift uses XML::LibXML::jQuery, which provides a API to manipulate HTML that most web developers are already familiar with.
I plan for a future Plift version to expose all features to an embedded javascript runtime.
AUTHOR
Carlos Fernando Avila Gratz <cafe@kreato.com.br>