I am busy rewriting some stuff from my "mason tutorial" to reflect
hhaamu's concerns about SQL injection and escaping HTML reserved
characters using |h.
Unfortunately, |h *does not* escape the single quote! This is a
significant problem:
By using placeholders, a user can now submit a term containing a single
quote to the db, such as "it's this", etc. The point being the db can
contain strings with single quotes in them.
But, using Ajax.Updater, strings brought back from the db cause a
problem here:
parameters: { name: '<%$data[1]%>'....
because $data[1] can contain a single quote. So I had to write a
simple little function:
sub esc_squote {
my $ref = shift;
$$ref =~ s/'/'/;
}
The problem is, once a variable has been so pre-treated, I discovered
that I cannot do this:
<%data[1]|h>
because |h evidently causes any escape code to be rendered literally on
screen:
it's this
Not a big deal, since I can modify esc_squote to cover the
other four characters and not have to use |h at all. The other option
is to write javascript wrappers for Ajax.Updater which must be
customized for each individual task, which is a lot more work.
So I am going to have to say something in the tutorial like "While
Mason provides |h, I don't use it here because we must also escape the
single quote. Instead, I will use a ZooDemo.pm function to cover all
five reserved characters." Although in fact I will probably mix the
two, using |h where possible because it is easier.
Would it be fair to call this an *oversight*, and if so is there any
intention to fix it in the future?
MK
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
