Subject: | wish: escape=html should be on default. |
HTML::Template's escaping is insecure by default, having you to turn on
the security of HTML escaping just where you think you need it. If you
don't have security on your mind, it's easy to not do this. Unless you
test explicitly for security issues, it may be easy to miss an XSS hole
going through alpha and beta testing and into issue and into production.
Like Django's templating system, HTML::Template should be
secure-by-default in regards to escaping. "escape=HTML" should be the
default. Then if you know you have a place where you *know* you need to
let through raw HTML, then you can turn off escaping in just one place,
so the you acknowledging each place where you choose to lower security.
In terms of backwards compatibility, users who have explicitly declared
"escape=HTML" or "escape=NONE" everywhere they need it are already
covered. And if anyone declares "default_escape", there will be no
change for them.
What remains are the people and projects who have not thought out all
the places where they need to allow or disallow HTML escaping
completely. The change will bring their awareness to this issue to make
the necessary changes, if they choose to upgrade HTML::Template.
Also, it can be documented how people can choose to enable the legacy
insecure default with a single line of code.
Mark