/ 
Template-Toolkit-3.102
⭐ Starred 148 / Template::Plugin::Assert
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Plugin::Assert - trap undefined values

SYNOPSIS

[% USE assert %]

# throws error if any undefined values are returned
[% object.assert.method %]
[% hash.assert.key %]
[% list.assert.item %]

DESCRIPTION

This plugin defines the assert virtual method that can be used to automatically throw errors when undefined values are used.

For example, consider this dotop:

[% user.name %]

If user.name is an undefined value then TT will silently ignore the fact and print nothing. If you USE the assert plugin then you can add the assert vmethod between the user and name elements, like so:

[% user.assert.name %]

Now, if user.name is an undefined value, an exception will be thrown:

assert error - undefined value for name

AUTHOR

Andy Wardley <abw@wardley.org> http://wardley.org/

COPYRIGHT

Copyright (C) 2008-2022 Andy Wardley. All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Template::Plugin