/ 
JavaScript-Value-Escape-0.03
River stage two • 4 direct dependents • 10 total dependents
/ JavaScript::Value::Escape

NAME

JavaScript::Value::Escape - Avoid JavaScript value XSS

SYNOPSIS

use JavaScript::Value::Escape;

my $escaped = javascript_value_escape(q!&foo"bar'</script>!);
# $escaped is "\u0026foo\u0022bar\u0027\u003c\/script\u003e"

my $html_escaped = javascript_value_escape(Text::Xslate::Util::escape_html(q!&foo"bar'</script>!));

print <<EOF;
<script>
var param = '$escaped';
alert(param);

document.write('$html_escaped');

</script>
EOF

DESCRIPTION

To avoid XSS with JavaScript Value, JavaScript::Value::Escape escapes q!"!, q!'!, q!&!, q!=!, q!-!, q!+!, q!;!, q!<!, q!>!, q!/!, q!\! and control characters to JavaScript unicode characters like "\u0026".

EXPORT FUNCTION

javascript_value_escape($value:Str); Str

Escape a string. The argument of this function must be a flagged UTF-8 string (a.k.a. Perl's internal form).

AUTHOR

Masahiro Nagano <kazeburo {at} gmail.com>

SEE ALSO

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.