mpeters / html-template Goto Github PK

We use HTML::Template in conjunction with an Angular app and would like to escape { when using html escaping to prevent attacks of this sort. To do this, we had to fork HTML::Template. It would be nice if the escaping was customizable, either by allowing the user to pass their own mapping or allowing the user to pass callbacks to use instead of the default escaping code.

Any tag that looks like this has a weird effect on HTML::Template:

<TMPL_VAR NAME="test"/___>

If the ___ above is replaced by anything other than the empty string, the TMPL_VAR is incorrectly parsed to have the name "test"/ (quotes included). As a result, by default the tag will silently be replaced with nothing (and of course if you provide a parameter named "test"/ it will be substituted as normal).

If a space is included before the /, then the script dies with a syntax error, which I think should be the correct behavior in either case.

Minimal reproduction:

<!-- test.tpl -->
<p><TMPL_VAR NAME="test"/></p>
<p><TMPL_VAR NAME="test"/ ></p>

#!/usr/bin/env perl

# test.pl

use strict;
use warnings;
use HTML::Template;

my $html = HTML::Template->new(filename    => 'test.tpl');

$html->param(test => "This is a test file!");
# $html->param('"test"/' => "This isn't right...");

print $html->output;

Expected output:

HTML::Template->new() : Syntax error in <TMPL_*> tag at test.tpl : 2. at /usr/share/perl5/HTML/Template.pm line 2532.

Actual output:

<!-- test.tpl -->
<p>This is a test file!</p>
<p></p>

Output with the commented line uncommented:

<!-- test.tpl -->
<p>This is a test file!</p>
<p>This isn't right...</p>

I encountered a memory leak in an application (LemonLDAP::NG) that I was able to hunt back to HTML::Template.

The following script:

use HTML::Template;

my $tpltext= <<EOF;
<h1>HTML Ipsum Presents</h1>
<h2>Header Level 2</h2>
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
</code></pre>
EOF

for my $i (0..99999) {
    my $tpl = HTML::Template->new(scalarref => \$tpltext );
    my $output = $tpl->output();
}

is enough to trigger it (I also used with file and arrayref instead of scalarref)

Running this script will make memory consumption climb steadily when running CentOS 7 with the default Perl :

This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 39 registered patches, see perl -V for more detail)

On Perl >=5.18, this behavior doesn't occur, memory usage will remain low and stable.

I know that Perl 5.16 is very outdated, but it's still the default version in CentOS7.

Have you encountered or heard of this bug before? I realize that it's probably Perl's fault and not yours, but in some (especially enterprise) environments, upgrading CentOS/Redhat's Perl is not an option. Any workaround in HTML::Template itself could be useful.

Please see https://rt.cpan.org/Ticket/Display.html?id=114549

The Changes file on CPAN and the one here don't match. The one on CPAN shows releases for 2.91 through 2.94, but the Changes file here jumps from 2.9 to 2.10.

Where's the branch that corresponds with the CPAN releases?

Unsurprisingly, t\03-associate.t fails when CGI is not already installed. It should probably be specified as test requirement so tools can install prerequisites as necessary, given that CGI is no longer in the core.