Giter Site home page Giter Site logo

html-template's People

Contributors

dsteinbrunner avatar maxperl avatar mpeters avatar samtregar avatar scop avatar skx avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

html-template's Issues

Allow custom escaping

We use HTML::Template in conjunction with an Angular app and would like to escape { when using html escaping to prevent attacks of this sort. To do this, we had to fork HTML::Template. It would be nice if the escaping was customizable, either by allowing the user to pass their own mapping or allowing the user to pass callbacks to use instead of the default escaping code.

Certain malformed TMPL_VAR tags are parsed oddly

Any tag that looks like this has a weird effect on HTML::Template:

<TMPL_VAR NAME="test"/___>

If the ___ above is replaced by anything other than the empty string, the TMPL_VAR is incorrectly parsed to have the name "test"/ (quotes included). As a result, by default the tag will silently be replaced with nothing (and of course if you provide a parameter named "test"/ it will be substituted as normal).

If a space is included before the /, then the script dies with a syntax error, which I think should be the correct behavior in either case.

Minimal reproduction:

<!-- test.tpl -->
<p><TMPL_VAR NAME="test"/></p>
<p><TMPL_VAR NAME="test"/ ></p>
#!/usr/bin/env perl

# test.pl

use strict;
use warnings;
use HTML::Template;

my $html = HTML::Template->new(filename    => 'test.tpl');

$html->param(test => "This is a test file!");
# $html->param('"test"/' => "This isn't right...");

print $html->output;

Expected output:

HTML::Template->new() : Syntax error in <TMPL_*> tag at test.tpl : 2. at /usr/share/perl5/HTML/Template.pm line 2532.

Actual output:

<!-- test.tpl -->
<p>This is a test file!</p>
<p></p>

Output with the commented line uncommented:

<!-- test.tpl -->
<p>This is a test file!</p>
<p>This isn't right...</p>

Memory leak using perl 5.16

I encountered a memory leak in an application (LemonLDAP::NG) that I was able to hunt back to HTML::Template.

The following script:

use HTML::Template;

my $tpltext= <<EOF;
<h1>HTML Ipsum Presents</h1>
<h2>Header Level 2</h2>
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
</code></pre>
EOF

for my $i (0..99999) {
    my $tpl = HTML::Template->new(scalarref => \$tpltext );
    my $output = $tpl->output();
}

is enough to trigger it (I also used with file and arrayref instead of scalarref)

Running this script will make memory consumption climb steadily when running CentOS 7 with the default Perl :

This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 39 registered patches, see perl -V for more detail)

On Perl >=5.18, this behavior doesn't occur, memory usage will remain low and stable.

I know that Perl 5.16 is very outdated, but it's still the default version in CentOS7.

Have you encountered or heard of this bug before? I realize that it's probably Perl's fault and not yours, but in some (especially enterprise) environments, upgrading CentOS/Redhat's Perl is not an option. Any workaround in HTML::Template itself could be useful.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.