NAME
Template::EmbeddedPerl::SafeString- String rendering safety
SYNOPSIS
use Template::EmbeddedPerl::SafeString'safe', 'escape';
DESCRIPTION
Protecting your templates from the various types of character injection attacks is a prime concern for anyone working with the HTML user interface. This class provides some methods and exports to make this job easier.
EXPORTABLE FUNCTIONS
The following functions can be exported by this library
safe
Given a string or array, returns such marked as 'safe' by using html_escape
on the string and then encapsulating it inside an instance of Template::EmbeddedPerl::SafeString. You can safely pass arguments to this since if the string is already marked safe we just return it unaltered.
flattened_safe
Same as safe
but always returns a string even if you pass an array of strings (they are all joined together).
raw
Given a string or array of strings, return each marked as safe (by encapsulating it inside an instance of Template::EmbeddedPerl::SafeString. This will just mark strings as safe without doing any escaping first (for that see safe
) so be careful with this.
flattened_raw
Same as raw
but always returns a string even if you pass an array of strings (they are all joined together).
is_safe
Given a string return a boolean indicating if its marked safe or not. Since safe
and raw
never double the escapulations / escaping, you probably never need this but saw no reason to not expose it.
escape_html
A wrapper on HTML::Escape just to make your life a bit easier
CLASS METHODS
This package exposes the folllowing class methods
new
my $safe_string = Valiant::HTML::SafeString->new(@strings);
Given a string, or array of strings, returns a single string that has been html_escape
'd as needed and encapulated in an instance. Its safe to pass arguments to this without testing since if a string is already marked safe we don't do any extra escaping (although you will get a new instance).
INSTANCE METHODS
Instances of Template::EmbeddedPerl::SafeString expose the following public methods
concat
Returns a new safe string which appends a list of strings to the old one, making those new strings 'safe' as needed. Basically this will escape any strings not marked safe already and then joins them altogether in a single safe string.
to_string
Returns the raw string, suitable for display.
to_bool
Returns a boolean indicating if the string is empty or not.
OVERLOADING
String context calles to_string
; Boolean context returns true unless the string is empty.