/ 
Template-Toolkit-2.24
/ Template::Tools
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Tools - Command Line Tools for the Template Toolkit

Template Tools

The Template Toolkit includes the following command line tools for processing templates.

tpage

The tpage script can be used to process a single template using the Template Toolkit.

$ tpage --define msg="Hello World" greeting.tt2

Use the -h option to get a summary of options:

$ tpage -h

See the Template::Tools::tpage documentation for further information and examples of use.

ttree

The ttree script can be used to process an entire directory of templates.

$ ttree --src /path/to/templates --dest /path/to/output

Use the -h option to get a summary of options:

$ ttree -h

See the Template::Tools::ttree documentation for further information and examples of use.