Security Advisories (1)

CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Plugin::Dumper - Plugin interface to Data::Dumper

SYNOPSIS

[% USE Dumper %]

[% Dumper.dump(variable) %]
[% Dumper.dump_html(variable) %]

DESCRIPTION

This is a very simple Template Toolkit Plugin Interface to the Data::Dumper module. A Dumper object will be instantiated via the following directive:

[% USE Dumper %]

As a standard plugin, you can also specify its name in lower case:

[% USE dumper %]

The Data::Dumper 'Pad', 'Indent' and 'Varname' options are supported as constructor arguments to affect the output generated. See Data::Dumper for further details.

[% USE dumper(Indent=0, Pad="<br>") %]

These options can also be specified in lower case.

[% USE dumper(indent=0, pad="<br>") %]

METHODS

There are two methods supported by the Dumper object. Each will output into the template the contents of the variables passed to the object method.

dump()

Generates a raw text dump of the data structure(s) passed

[% USE Dumper %]
[% Dumper.dump(myvar) %]
[% Dumper.dump(myvar, yourvar) %]

dump_html()

Generates a dump of the data structures, as per dump(), but with the characters <, > and & converted to their equivalent HTML entities and newlines converted to <br>.

[% USE Dumper %]
[% Dumper.dump_html(myvar) %]

AUTHOR

Simon Matthews <sam@knowledgepool.com>

VERSION

Template Toolkit version 2.01, released on 30th March 2001.

COPYRIGHT

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)