/ 
Template-Toolkit-3.102
⭐ Starred 148 / Template::Plugin::View
Security Advisories (1)
CVE-2026-5090 (2026-05-19)

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

NAME

Template::Plugin::View - Plugin to create views (Template::View)

SYNOPSIS

[% USE view(
        prefix = 'splash/'          # template prefix/suffix
        suffix = '.tt2'
        bgcol  = '#ffffff'          # and any other variables you
        style  = 'Fancy HTML'       # care to define as view metadata,
        items  = [ foo, bar.baz ]   # including complex data and
        foo    = bar ? baz : x.y.z  # expressions
%]

[% view.title %]                    # access view metadata

[% view.header(title = 'Foo!') %]   # view "methods" process blocks or
[% view.footer %]                   # templates with prefix/suffix added

DESCRIPTION

This plugin module creates Template::View objects. Views are an experimental feature and are subject to change in the near future. In the mean time, please consult Template::View for further info.

AUTHOR

Andy Wardley <abw@wardley.org> http://wardley.org/

COPYRIGHT

Copyright (C) 1996-2022 Andy Wardley. All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Template::Plugin, Template::View, Template::Manual::Views