NAME

Valiant::HTML::SafeString - String rendering safety

SYNOPSIS

use Valiant::HTML::SafeString 'safe', 'escape';

DESCRIPTION

Protecting your templates from the various types of character injection attacks is a prime concern for anyone working with the HTML user interface. This class provides some methods and exports to make this job easier.

EXPORTABLE FUNCTIONS

The following functions can be exported by this library

safe

Given a string or array, returns such marked as 'safe' by using html_escape on the string and then encapsulating it inside an instance of Valiant::HTML::SafeString. You can safely pass arguments to this since if the string is already marked safe we just return it unaltered.

flattened_safe

Same as safe but always returns a string even if you pass an array of strings (they are all joined together).

raw

Given a string or array of strings, return each marked as safe (by encapsulating it inside an instance of Valiant::HTML::SafeString. This will just mark strings as safe without doing any escaping first (for that see safe) so be careful with this.

flattened_raw

Same as raw but always returns a string even if you pass an array of strings (they are all joined together).

is_safe

Given a string return a boolean indicating if its marked safe or not. Since safe and raw never double the escapulations / escaping, you probably never need this but saw no reason to not expose it.

CLASS METHODS

This package exposes the folllowing class methods

new

my $safe_string = Valiant::HTML::SafeString->new(@strings);

Given a string, or array of strings, returns a single string that has been html_escape'd as needed and encapulated in an instance. Its safe to pass arguments to this without testing since if a string is already marked safe we don't do any extra escaping (although you will get a new instance).

INSTANCE METHODS

Instances of Valiant::HTML::SafeString expose the following public methods

concat

Returns a new safe string which appends a list of strings to the old one, making those new strings 'safe' as needed. Basically this will escape any strings not marked safe already and then joins them altogether in a single safe string.

to_string

Returns the raw string, suitable for display.

OVERLOADING

String context calles to_string; Boolean context returns 'true'.

SEE ALSO

Valiant, Valiant::HTML::FormBuilder

AUTHOR

See Valiant

COPYRIGHT & LICENSE

See Valiant