4 use HTML::String::Value;
7 our @EXPORT = qw(html);
10 HTML::String::Value->new($_[0]);
19 HTML::String - mark strings as HTML to get auto-escaping
25 my $not_html = 'Hello, Bob & Jake';
27 my $html = html('<h1>').$not_html.html('</h1>');
29 print html($html); # <h1>Hello, Bob " Jake</h1>
33 use HTML::String::Overload;
35 my $not_html = 'Hello, Bob & Jake';
38 use HTML::String::Overload;
39 "<h1>${not_html}</h1>";
42 print html($html); # <h1>Hello, Bob " Jake</h1>
44 (but see the L<HTML::String::Overload> documentation for details and caveats).
46 See also L<HTML::String::TT> for L<Template Toolkit|Template> integration.
50 Tired of trying to remember which strings in your program need HTML escaping?
52 Working on something small enough to not need a templating engine - or code
53 heavy enough to be better done with strings - but wanting to be careful about
56 Yeah, me too, sometimes. So I wrote L<HTML::String>.
58 The idea here is to have pervasive HTML escaping that fails closed - i.e.
59 escapes everything that it isn't explicitly told not to. Since in the era
60 of XSS (cross site scripting) attacks it's a matter of security as well as
61 of not serving mangled markup, I've preferred to err on the side of
62 inconvenience in places in order to make it as hard as possible to screw up.
64 We export a single subroutine, L</html>, whose sole purpose in life
65 is to construct an L<HTML::String::Value> object from a string, which then
66 obsessively refuses to be concatenated to anything else without escaping it
67 unless you asked for that not to happen by marking the other thing as HTML
72 html($thing).$other_thing
74 will return an object where C<$thing> won't be escaped, but C<$other_thing>
75 will. Keeping concatenating stuff is fine; internally it's an array of parts.
77 Because html() will happily take something that's already wrapped into a
78 value object, when we print it out we can do:
80 print html($final_result);
82 safe in the knowledge that if we got passed a value object that won't break
83 anything, but if by some combination of alarums, excursions and murphy
84 strikes we still have just a plain string by that point, the plain string
85 will still get escaped on the way out.
87 If you've got distinct blocks of code where you're assembling HTML, instead
88 of using L</html> a lot you can say "all strings in this block are HTML
89 so please mark them all to not be escaped" using L<HTML::String::Overload> -
91 my $string = 'This is a "normal" string';
96 use HTML::String::Overload; # valid until the end of the block
98 $html = '<foo>'.$string.'</foo>'; # the two strings are html()ified
101 print $html; # prints <foo>This is a "normal" string</foo>
103 Note however that due to a perl bug, you can't use backslash escapes in
104 a string and have it still get marked as an HTML value, so instead of
112 at least as far as 5.16.1, which is current as I write this. See
113 L<HTML::String::Overload> for more details.
115 For integration with L<Template Toolkit|Template>, see L<HTML::String::TT>.
121 my $html = html($do_not_escape_this);
123 Returns an L<HTML::String::Value> object containing a single string part
124 marked not to be escaped.
126 If you need to do something clever such as specifying packages for which
127 to ignore escaping requests, see the L<HTML::String::Value> documentation
128 and write your own subroutine - this one is as simple as
131 return HTML::String::Value->new($_[0]);
134 so providing configuration options would likely be more complicated and
135 confusing than just writing the code.
139 mst - Matt S. Trout (cpan:MSTROUT) <mst@shadowcat.co.uk>
143 None yet - maybe this software is perfect! (ahahahahahahahahaha)
147 Copyright (c) 2012 the HTML::String L</AUTHOR> and L</CONTRIBUTORS>
152 This library is free software and may be distributed under the same terms