mpeters / html-template Goto Github PK
View Code? Open in Web Editor NEWPerl HTML::Template module
Perl HTML::Template module
We use HTML::Template
in conjunction with an Angular app and would like to escape {
when using html
escaping to prevent attacks of this sort. To do this, we had to fork HTML::Template
. It would be nice if the escaping was customizable, either by allowing the user to pass their own mapping or allowing the user to pass callbacks to use instead of the default escaping code.
Any tag that looks like this has a weird effect on HTML::Template:
<TMPL_VAR NAME="test"/___>
If the ___ above is replaced by anything other than the empty string, the TMPL_VAR is incorrectly parsed to have the name "test"/
(quotes included). As a result, by default the tag will silently be replaced with nothing (and of course if you provide a parameter named "test"/
it will be substituted as normal).
If a space is included before the /, then the script dies with a syntax error, which I think should be the correct behavior in either case.
Minimal reproduction:
<!-- test.tpl -->
<p><TMPL_VAR NAME="test"/></p>
<p><TMPL_VAR NAME="test"/ ></p>
#!/usr/bin/env perl
# test.pl
use strict;
use warnings;
use HTML::Template;
my $html = HTML::Template->new(filename => 'test.tpl');
$html->param(test => "This is a test file!");
# $html->param('"test"/' => "This isn't right...");
print $html->output;
Expected output:
HTML::Template->new() : Syntax error in <TMPL_*> tag at test.tpl : 2. at /usr/share/perl5/HTML/Template.pm line 2532.
Actual output:
<!-- test.tpl -->
<p>This is a test file!</p>
<p></p>
Output with the commented line uncommented:
<!-- test.tpl -->
<p>This is a test file!</p>
<p>This isn't right...</p>
I encountered a memory leak in an application (LemonLDAP::NG) that I was able to hunt back to HTML::Template.
The following script:
use HTML::Template;
my $tpltext= <<EOF;
<h1>HTML Ipsum Presents</h1>
<h2>Header Level 2</h2>
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
<TMPL_VAR NAME="PARAMETER_NAME">
</code></pre>
EOF
for my $i (0..99999) {
my $tpl = HTML::Template->new(scalarref => \$tpltext );
my $output = $tpl->output();
}
is enough to trigger it (I also used with file
and arrayref
instead of scalarref
)
Running this script will make memory consumption climb steadily when running CentOS 7 with the default Perl :
This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 39 registered patches, see perl -V for more detail)
On Perl >=5.18, this behavior doesn't occur, memory usage will remain low and stable.
I know that Perl 5.16 is very outdated, but it's still the default version in CentOS7.
Have you encountered or heard of this bug before? I realize that it's probably Perl's fault and not yours, but in some (especially enterprise) environments, upgrading CentOS/Redhat's Perl is not an option. Any workaround in HTML::Template itself could be useful.
The Changes file on CPAN and the one here don't match. The one on CPAN shows releases for 2.91 through 2.94, but the Changes file here jumps from 2.9 to 2.10.
Where's the branch that corresponds with the CPAN releases?
Unsurprisingly, t\03-associate.t
fails when CGI is not already installed. It should probably be specified as test requirement so tools can install prerequisites as necessary, given that CGI is no longer in the core.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.