Perl: Safe templating language

Question

Here are already several questions in SO about the safe template languages, like:

• Safe ERB Language?
• templating system that is safe for end users to edit
• Is there a “safe” subset of Python for use as an embedded scripting language?
• Is Django's templating markup for views safe for end user editing like rails liquid templating

but the above questions are for asp, ruby, python.

My question is: What templating language can allow to be edited by users in perl based web-app?

I want allow for users edit pages, (like in an wiki) with some programming possibilities, so full featured mean with cycles, conditionals, variable substitutions, includes and so on.

Is TT "enough safe"? Is here another solution as TT?

Answer 1

Template::Toolkit Should be fine, as long as you limit what parameters are passed to the template. If you pass classes, the templates will be able to call any method on those classes, and any method on the return values of those classes, etc. It's much better to only pass Hashes.

HTML::Template Is also a good option, and it only allows hashes by default, so you are much less likely to leave open a hole that lets the template authors execute arbitrary code.

In either case, make sure that you read the documentation for whatever you use, and clean the output in order to prevent cross-site scripting attacks. Do not rely on people customizing the templates to get the output encoding correct for you.