[ic] Returning raw data from looping tag - NO encode... UPDATE

Paul Jordan paul at gishnetwork.com
Mon Nov 24 10:14:58 EST 2003


Paul Jordan wrote:
> Mike Heins [mike at perusion.com] wrote:
>> Quoting Paul Jordan (paul at gishnetwork.com):
>>>
>>> 4.9.8 Mysql
>>>
>>> Assume I have in a table column:
>>>
>>> 	Hello, a left square bracket like [ is the same as [ and
>>> 	sometimes ITL can look like this [scratch foo]... bye!
>>>
>>> In short, How can I return the above line, from a database via
>>> [sql-param body] without interpolating (reparsing) anything inside
>>> of [sql-param body]
>>
>> [strip reparse=0][sql-param body][/strip]
>
>
> Thanks for that Mike. For the sake of completion, to get the effect
> of:
>
> 	- not ENcoding [
> 	- not DEcoding [
> 	- not interpolating [scratch foo]
>
> What was needed for a looping tag is:
>
>  [pragma safe_data]
>
>   ...code....
>   [strip reparse=0][sql-param body][/strip]
>   ...code...
>
>
> With [cgi foo] I needed to:
>
>   [calcn reparse=0]
>    return $CGI->{foo};
>   [/calcn]
>


Would like to point out in my above post:

    [calcn reparse=0]
     return $CGI->{foo};
    [/calcn]

Is inherently dangerous, as you would be explicitly allowing chars like '[' and
'<'. Thanks for someone reminding me that off list :) Someone can pass through:

 <script> Delete_Linux_and_Install_Windows(); </script>

Another thing to watch out for is the how [calcn] reparses by default, which
seems counter intuitive.

Paul






More information about the interchange-users mailing list