/ 
Template-Toolkit-2.08 UNAUTHORIZED RELEASE
/ Template::Plugin::View
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Plugin::View - Plugin to create views (Template::View)

SYNOPSIS

    [% USE view(
	    prefix = 'splash/'		# template prefix/suffix
	    suffix = '.tt2'		
	    bgcol  = '#ffffff'		# and any other variables you 
	    style  = 'Fancy HTML'       # care to define as view metadata,
	    items  = [ foo, bar.baz ]	# including complex data and
	    foo    = bar ? baz : x.y.z  # expressions
    %]

    [% view.title %]			# access view metadata

    [% view.header(title = 'Foo!') %]	# view "methods" process blocks or
    [% view.footer %]			# templates with prefix/suffix added

DESCRIPTION

This plugin module creates Template::View objects. Views are an experimental feature and are subject to change in the near future. In the mean time, please consult Template::View for further info.

AUTHOR

Andy Wardley <abw@andywardley.com>

http://www.andywardley.com/

VERSION

2.51, distributed as part of the Template Toolkit version 2.08, released on 30 July 2002.

COPYRIGHT

Copyright (C) 1996-2002 Andy Wardley.  All Rights Reserved.
Copyright (C) 1998-2002 Canon Research Centre Europe Ltd.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Template::Plugin, Template::View