/ 
Template-Toolkit-2.13 UNAUTHORIZED RELEASE
/ Template::Plugin::Procedural
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Plugin::Procedural - Base class for procedural plugins

SYNOPSIS

package Template::Plugin::LWPSimple;
use base qw(Template::Plugin::Procedural);
use LWP::Simple;  # exports 'get'
1;

[% USE LWPSimple %]
[% LWPSimple.get("http://www.tt2.org/") %]

DESCRIPTION

Template::Plugin::Procedural is a base class for Template Toolkit plugins that causes defined subroutines to be called directly rather than as a method. Essentially this means that subroutines will not receive the class name or object as its first argument.

This is most useful when creating plugins for modules that normally work by exporting subroutines that do not expect such additional arguments.

Despite the fact that subroutines will not be called in an OO manner, inheritance still function as normal. A class that uses Template::Plugin::Procedural can be subclassed and both subroutines defined in the subclass and subroutines defined in the original class will be available to the Template Toolkit and will be called without the class/object argument.

AUTHOR

Mark Fowler <mark@twoshortplanks.com>

http://www.twoshortplanks.com

VERSION

1.11, distributed as part of the Template Toolkit version 2.13, released on 30 January 2004.

COPYRIGHT

Copyright (C) 2002 Mark Fowler <mark@twoshortplanks.com>

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Template, Template::Plugin