Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Discussions :

What does <%escape_html Tag%> do???

Apr 28, 2006, 4:30 PM
Jonze
User (184 posts)
Apr 28, 2006, 4:30 PM
Post #1 of 5
Views: 2296
Shortcut
Quote Reply
What does <%escape_html Tag%> do???
Hi,

This may be a dumb question, but I haven't been able to find the answer.

I use a custom 2.x.x template set, and noticed the <%escape_html Tag%> added with the 3.0.0 update used in the Luna set.

What does this "escape_html" tag do exactly???

I have no problems with my site not using this tag. Is this something I may need to add throughout my template set??? I dread the thought, but wanted to check to make sure.

Thanks!
Apr 28, 2006, 5:06 PM
katabd
Veteran (1187 posts)
Apr 28, 2006, 5:06 PM
Post #2 of 5
Views: 2209
Shortcut
Quote Reply
Re: [Jonze] What does <%escape_html Tag%> do??? In reply to
It prevent HTML code from bring printed to your pages..

Example:

if I enter the following in the Title:

<p><a href="someurl">My site is a for free services.</a></p>

With out the escape_html tage it will print as:
My site is a for free services.

With the tag it will be:

<p><a href="someurl">My site is a for free services.</a></p>
Regards
KaTaBd

Users plug In - Multi Search And Remote Search plug in - WebRing plug in - Muslims Directory
Apr 28, 2006, 5:50 PM
brewt
Staff (4101 posts)
brewt's avatar
Apr 28, 2006, 5:50 PM
Post #3 of 5
Views: 2207
Shortcut
Quote Reply
Re: [Jonze] What does <%escape_html Tag%> do??? In reply to
It is recommended you do as it will prevent any XSS vulnerabilities. See the announcement: http://www.gossamer-threads.com/...orum.cgi?post=281029

Adrian
Apr 28, 2006, 7:30 PM
Jonze
User (184 posts)
Apr 28, 2006, 7:30 PM
Post #4 of 5
Views: 2209
Shortcut
Quote Reply
Re: [brewt] What does <%escape_html Tag%> do??? In reply to
Thanks for the info guys! Much appreciated.

Adrian,

The link was very helpful, but I have one more question....

My site doesn't use html in my links, so I can easily use this code to prevent vulnerabilities right?

If your directory does not allow html in any link info (eg. link descriptions, reviews, etc) then you can not modify your templates and just add an option to GT::Template to html escape all variables. To do this, edit admin/Links.pm (it's on a different line depending on the version you have installed) in "sub user_page", before it calls GT::Template->parse(...), add the following line:
Code:
$opts->{escape} = 1;


Full URL's like "http://www.sitename.com/pics/234/ won't be escaped will they?

I have over 100+ templates so I'd like to get around hand editing most of them if possible.

Thanks again.
Apr 28, 2006, 8:16 PM
brewt
Staff (4101 posts)
brewt's avatar
Apr 28, 2006, 8:16 PM
Post #5 of 5
Views: 2190
Shortcut
Quote Reply
Re: [Jonze] What does <%escape_html Tag%> do??? In reply to
If you enable that GT::Template option, then every variable passed into GT::Template that isn't passed as a reference will get HTML escaped. For GLinks, this pretty much means all variables will be HTML escaped (yes, that includes URLs, but in almost all cases won't break anything).

Adrian