You are viewing a plain text version of this content. The canonical link for it is here.

Posted to asp@perl.apache.org by Henrik Tougaard <ht...@foa.dk> on 2001/08/21 14:41:16 UTC

Plea for an unneccesary(?) enhancement to Apache::ASP

We have a couple of times not been sufficiently carefull in our coding, and
had surprising results when fields contain special characters, that have
been
output to thw browser without prorper HTML-Encoding.

This often (for us at least) happens when making a selectlist og checkbox,
where the value is something fetch eg. from a database.
If the database field contains the " character, then this fouls up the HTML
-
causing all sorts of fun and debugging.

The solution is obvious: enclose all this kind of data in
$Server->HTMLEncode($data).

The resulting ASP code will then look soemwhat like this:
  <INPUT type="text" name="arbst_navn" value="<%=
$Server->HTMLEncode($arbst->{arbst_navn}) %>" tabindex="1">
which is even more unreadable than before.

Therefore I would like to have a new tag [eg '<%-' but I am open (very open)
for better suggestions] that automatically HTMLEncodes the text inside the
tag.
This is a bit shorter then '$Server->HTMLEncode', and I think that I will be
able to teach that to my coworkers -and get them to use -with minimal
amount of fuss and physical violence
 
It couldbe done with a XMLsub, but isn't that a bit overkill. Of course
adding a
new tag  could also be construed as overkill :)

Is this just too far out?

--
Henrik Tougaard, Copenhagen, Denmark
"The first rule of Perl Club is, we don't talk about Perl Club"
    - Dave Cross at YAPC::Europe 2.0.01

---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Plea for an unneccesary(?) enhancement to Apache::ASP

Posted by Joshua Chamas <jo...@chamas.com>.

Henrik Tougaard wrote:
> 
> The resulting ASP code will then look soemwhat like this:
>   <INPUT type="text" name="arbst_navn" value="<%=
> $Server->HTMLEncode($arbst->{arbst_navn}) %>" tabindex="1">
> which is even more unreadable than before.
> 

If you created a subroutine in global.asa like:

sub encode { $Server->HTMLEncode(@_) }

Then this code could have looked like:

 <INPUT type="text" name="arbst_navn" value="<%= encode($arbst->{arbst_navn}) %>" tabindex="1">

> Therefore I would like to have a new tag [eg '<%-' but I am open (very open)
> for better suggestions] that automatically HTMLEncodes the text inside the

which is not much more typing than <%- %> ... I worry about starting
to add tag extensions to Apache::ASP because one of it virtues 
when compared to other environments is the simplicity in which
perl is embedded.

> It couldbe done with a XMLsub, but isn't that a bit overkill. Of course
> adding a
> new tag  could also be construed as overkill :)
> 

The XMLSub that I sent in the separate benchmarking email may
or may not be overkill ... you could call the tag something like
<encode:input /> or <input:escape /> if you like which might 
create a conscious effort on the part of you developer to use.

Also, you could consider using FormFill functionality,
where all you would have to do in the above example to 
set the input field is:

<% $Response->{Form}{arbst_navn} = $arbst->{arbst_navn}; %>

--Josh
_________________________________________________________________
Joshua Chamas                           Chamas Enterprises Inc.
NodeWorks Founder                       Huntington Beach, CA  USA 
http://www.nodeworks.com                1-714-625-4051

---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Plea for an unneccesary(?) enhancement to Apache::ASP

Posted by Joshua Chamas <jo...@chamas.com>.

Philip Mak wrote:
> 
> On Tue, 21 Aug 2001, Henrik Tougaard wrote:
> 
> > It couldbe done with a XMLsub, but isn't that a bit overkill.
> 
> I've been wondering about that---how much processing time does XMLSub use
> up?
> 

XMLSubs insert a few variable assignments and a subroutine call 
into the script code, so there is definitely overhead, but because 
Apache::ASP script execution is so fast, I'm not sure one should 
worry about this.

On a little benchmark I just put together which did 20 <input>
tags & equivalent XMLSubs, there was about a 13% difference in
the script runtime, where the XMLSubs were slower.  I would expect 
there to be less of a relative difference the more your scripts 
were actually doing.

Document Path:          /asp/eg/bench_xmlsubs/index.asp
Time taken for tests:   9.572 seconds
Requests per second:    104.47

Document Path:          /asp/eg/bench_xmlsubs/index_subs.asp
Time taken for tests:   10.991 seconds
Requests per second:    90.98

# .htaccess
PerlSetVar XMLSubsMatch my:input
PerlSetVar Global .
PerlSetVar NoState 1

# global.asa
sub my::input {
    my($args, $html) = @_;
    $args->{value} = $Server->HTMLEncode($args->{value});
    print "<input ". join(" ",map { "$_=\"$args->{$_}\"" } keys %$args).">\n";
}

# index.asp, without XMLSubs
<% my $data="asdfsadf&&&&&asdfsdafa"; %>
<% for my $count (1..20) { %>
 <input name="text<%= $count %>" value="<%= $Server->HTMLEncode($data) %>">
<% } %>

# index_subs.asp, with XMLSubs
<% my $data="asdfsadf&&&&&asdfsdafa"; %>
<% for my $count (1..20) { %>
 <my:input name="text$count" value="$data" />
<% } %>

--Josh

_________________________________________________________________
Joshua Chamas                           Chamas Enterprises Inc.
NodeWorks Founder                       Huntington Beach, CA  USA 
http://www.nodeworks.com                1-714-625-4051

---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org

Re: Plea for an unneccesary(?) enhancement to Apache::ASP

Posted by Philip Mak <pm...@aaanime.net>.

On Tue, 21 Aug 2001, Henrik Tougaard wrote:

> It couldbe done with a XMLsub, but isn't that a bit overkill.

I've been wondering about that---how much processing time does XMLSub use
up?


---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org