| #!/usr/bin/perl | |
| use strict; | |
| use warnings; | |
| use Text::Xslate; | |
| use Plack::Request; | |
| my $bs = '\\'; | |
| my %e = ( | |
| q!\\! => $bs, | |
| q!"! => 'x22', | |
| q!'! => 'x27', | |
| q!/! => '/', | |
| q!<! => 'x3c', | |
| q!>! => 'x3e', | |
| q!&! => 'x26', | |
| "\x0D" => "r", | |
| "\x0A" => "n", | |
| ); | |
| sub escape_js { | |
| my ($text) = @_; | |
| $text =~ s!([\\"'/<>&]|\x0D|\x0A)!${bs}$e{$1}!g; | |
| return $text; | |
| } | |
| my $tx = Text::Xslate->new( | |
| syntax => 'TTerse', | |
| function => { | |
| js => sub { | |
| escape_js(@_); | |
| }, | |
| js_raw => sub { | |
| Text::Xslate::mark_raw(escape_js(@_)); | |
| } | |
| } | |
| ); | |
| sub { | |
| my $env = shift; | |
| my $req = Plack::Request->new($env); | |
| my $foo = $req->param('foo') // q!&foo"bar'<b>baz</b>\ / </script>! . qq!\r\nfoo!; | |
| return [ | |
| 200, | |
| ['Content-Type'=>'text/html'], | |
| [$tx->render_string(<<'EOF', | |
| <html> | |
| <body> | |
| <script> | |
| // test | html | js | |
| var foo='[% test | html | js_raw %]'; | |
| document.write(foo); | |
| </script> | |
| <br /> | |
| <!-- test | js --> | |
| <a onclick="alert('[% test | js %]')">alert</a> | |
| </body> | |
| </html> | |
| EOF | |
| { test => $foo } | |
| )] | |
| ]; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment