Template2 icon indicating copy to clipboard operation
Template2 copied to clipboard
verified publisher icon abw

explicit setting of a variable does not seem to work with pipe based filters [rt.cpan.org #59208]

Open atoomic opened this issue 7 years ago • 7 comments

Migrated from rt.cpan.org#59208 (status was 'new')

Requestors:

From http://dekimsey.myopenid.com/ on 2010-07-08 20:31:44:

When the SET directive is used, pipe filtering doesn't seem to be applied 
to the variable.

Example:

  [% foo_uri = "foo bar" | uri %]
  I am encoded '[% foo_uri %]'

  [% SET foo_uri = "foo bar" | uri %]
  I am not encoded '[% foo_uri %]'

atoomic avatar Oct 05 '18 17:10 atoomic

let's keep the discussion in #43

atoomic avatar Oct 05 '18 19:10 atoomic

There is pending merge request for this issue via #43 but this is the original ticket, keeping it opened until we have not fixed it

atoomic avatar Oct 05 '18 19:10 atoomic

We are rejecting the pull request cause it does not fix the problem. Apparently the problem is complex.

toddr avatar Oct 08 '18 16:10 toddr

#43 has been closed but might be a base for future work some day.

toddr avatar Oct 08 '18 16:10 toddr

This can lead to security holes, because e.g. in a website template: [% safe = unsafe_user_input | html %][% safe %] is fine but: [% SET safe = unsafe_user_input | html %][% safe %] will output the user input unescaped, which is not expected behaviour. I have opened a PR at https://github.com/abw/Template2/pull/216, hopefully smaller than #43 with enough effect to be worth it.

dracos avatar May 04 '19 17:05 dracos

#216 has resolved this, Should this issue remain open? If so, can we update it to reflect the remaining work needed?

EvanCarroll avatar Sep 04 '20 18:09 EvanCarroll

#216 was reverted in #268 (due to #263). This issue remains unresolved, and the work is as stated in the original issue.

dracos avatar Sep 04 '20 19:09 dracos