AUTOESCAPING HTML
AUTOESCAPING HTML
By default, all HTML that are emitted by the
form-generating functions are passed through a function called escapeHTML():
$escaped_string
= escapeHTML("unescaped string");
Provided that you have specified a character set of
ISO-8859-1 (the default), the standard HTML escaping rules will be used. The
"<" character becomes "<", ">" becomes ">", "&" becomes
"&", and the quote character becomes """. In addition, the
hexadecimal 0x8b and 0x9b characters, which many windows-based browsers
interpret as the left and right angle-bracket characters, are replaced by their
numeric HTML entities ("‹" and "›"). If you manually change the
charset, either by calling the charset() method explicitly or by passing a
-charset argument to header(), then all characters will be replaced by
their numeric entities, since CGI.pm has no lookup table for all the possible
encodings.
Autoescaping does not apply to other HTML-generating
functions, such as h1(). You should call escapeHTML() yourself on any data that
is passed in from the outside, such as nasty text that people may enter into
guestbooks.
To change the character set, use charset(). To turn
autoescaping off completely, use autoescape():
$charset
= charset([$charset]); # Get or set the current character set.
$flag
= autoEscape([$flag]); # Get or set the value of the autoescape
flag.
|
