NAME

Dancer::Plugin::EscapeHTML - Escape HTML entities to avoid XSS vulnerabilities

SYNOPSIS

This plugin provides convenience keywords escape_html and unescape_html which are simply quick shortcuts to encode_entities and decode_entities from HTML::Entities.

use Dancer::Plugin::EscapeHTML;

my $encoded = escape_html($some_html);

It also provides optional automatic escaping of all HTML (see below.)

DESCRIPTION

This plugin is intended to provide a quick and simple way to ensure that HTML passed in the tokens hashref to the template is safely escaped (encoded), thereby helping to avoid XSS/cross-site scripting vulnerabilities.

You can encode specific bits of data yourself using the escape_html and unescape_html keywords, or you can enable automatic escaping of all values passed to the template.

In a future version, it is likely that this automatic escaping can be bypassed for certain values - probably by providing parameter names/patterns in the configuration to indicate parameters which should be left alone.

KEYWORDS

When the plugin is loaded, the following keywords are exported to your app:

escape_html

Encodes HTML entities; shortcut to encode_entities from HTML::Entities

unescape_html

Decodes HTML entities; shortcut to decode_entities from HTML::Entities

Automatic HTML encoding

If desired, you can also enable automatic HTML encoding of all params passed to templates.

To do so, enable the automatic_encoding option in your app's config - for instance, add the following to your config.yml:

plugins:
    EscapeHTML:
        automatic_escaping: 1

Now, all values passed to the template will be automatically encoded, so you should be protected from potential XSS vulnerabilities.

Of course, this has the drawback that you cannot provide pre-prepared HTML in template params to be used "as is". You can get round this by using the exclude_pattern option to provide a pattern to match token names which should be exempted from automatic escaping - for example:

plugins:
    EscapeHTML:
        automatic_escaping: 1
        exclude_pattern: '_html$'

The above would exclude token names ending in _html from being escaped.

AUTHOR

David Precious, <davidp at preshweb.co.uk>

LICENSE AND COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.

To install Dancer::Plugin::EscapeHTML, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Dancer::Plugin::EscapeHTML

CPAN shell

perl -MCPAN -e shell
install Dancer::Plugin::EscapeHTML

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)