/ 
Template-Toolkit-2.19 UNAUTHORIZED RELEASE
/ Template::Manual
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Manual - User guide and reference manual for the Template Toolkit

DESCRIPTION

Template::Manual::Intro

Introduction to the Template Toolkit

Template::Manual::Syntax

Directive syntax, structure and semantics

Template::Manual::Directives

Template directives

Template::Manual::Variables

Template variables and code bindings

Template::Manual::VMethods

Virtual Methods

Template::Manual::Config

Configuration options

Template::Manual::Filters

Standard filters

Template::Manual::Plugins

Standard plugins

Template::Manual::Internals

Template Toolkit internals

Template::Manual::Views

Template Toolkit views (experimental)

Template::Manual::Refs

Related modules, projects and other resources

Template::Manual::Credits

Author and contributor credits

AUTHOR

Andy Wardley <abw@wardley.org>

http://wardley.org/

VERSION

Template Toolkit version 2.19, released on 27 April 2007.

COPYRIGHT

Copyright (C) 1996-2007 Andy Wardley.  All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.