Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

#------------------------------------------------------------------------ -- test -- [% sql = " SELECT * FROM table" -%] SQL: [% sql %] -- expect -- SQL: SELECT * FROM table

-- test -- [% a = "\a\b\c\ndef" -%] a: [% a %] -- expect -- a: abc def

-- test -- [% a = "\f\o\o" b = "a is '$a'" c = "b is \$100" -%] a: [% a %] b: [% b %] c: [% c %]

-- expect -- a: foo b: a is 'foo' c: b is $100

-- test -- [% tag = { a => "[\%" z => "%\]" } quoted = "[\% INSERT foo %\]" -%] A directive looks like: [% tag.a %] INCLUDE foo [% tag.z %] The quoted value is [% quoted %]

-- expect -- A directive looks like: [% INCLUDE foo %] The quoted value is [% INSERT foo %]

-- test -- =[% wintxt | replace("(\r\n){2,}", "\n<break>\n") %]

-- expect -- =foo <break> bar <break> baz

-- test -- [% nl = "\n" tab = "\t" -%] blah blah[% nl %][% tab %]x[% nl; tab %]y[% nl %]end -- expect -- blah blah x y end

#------------------------------------------------------------------------ # STOP RIGHT HERE! #------------------------------------------------------------------------

-- stop --

-- test -- alist: [% $alist %] -- expect -- alist: ??

-- test -- [% foo.bar.baz %]

1 POD Error

The following errors were encountered while parsing the POD:

Around line 178:

Unknown directive: =this