Security Advisories (1)

CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Tools::tpage - Process templates from command line

USAGE

tpage [ --define var=value ] file(s)

DESCRIPTION

The tpage script is a simple wrapper around the Template Toolkit processor. Files specified by name on the command line are processed in turn by the template processor and the resulting output is sent to STDOUT and can be redirected accordingly. e.g.

tpage myfile > myfile.out
tpage header myfile footer > myfile.html

If no file names are specified on the command line then tpage will read STDIN for input.

The --define option can be used to set the values of template variables. e.g.

tpage --define author="Andy Wardley" skeleton.pm > MyModule.pm

The .tpagerc Configuration File

You can use a .tpagerc file in your home directory.

The purpose of this file is to set any global configuration options that you want applied every time tpage is run. For example, you can use the include_path to use template files from a generic template directory.

Run tpage -h for a summary of the options available.

See Template for general information about the Perl Template Toolkit and the template language and features.

AUTHOR

Andy Wardley <abw@wardley.org>

http://wardley.org/

VERSION

2.68, distributed as part of the Template Toolkit version 2.19, released on 27 April 2007.

COPYRIGHT

Copyright (C) 1996-2007 Andy Wardley.  All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)