[ic] Returning raw data from looping tag - NO encode... UPDATE
Paul Jordan
paul at gishnetwork.com
Mon Nov 24 10:14:58 EST 2003
Paul Jordan wrote:
> Mike Heins [mike at perusion.com] wrote:
>> Quoting Paul Jordan (paul at gishnetwork.com):
>>>
>>> 4.9.8 Mysql
>>>
>>> Assume I have in a table column:
>>>
>>> Hello, a left square bracket like [ is the same as [ and
>>> sometimes ITL can look like this [scratch foo]... bye!
>>>
>>> In short, How can I return the above line, from a database via
>>> [sql-param body] without interpolating (reparsing) anything inside
>>> of [sql-param body]
>>
>> [strip reparse=0][sql-param body][/strip]
>
>
> Thanks for that Mike. For the sake of completion, to get the effect
> of:
>
> - not ENcoding [
> - not DEcoding [
> - not interpolating [scratch foo]
>
> What was needed for a looping tag is:
>
> [pragma safe_data]
>
> ...code....
> [strip reparse=0][sql-param body][/strip]
> ...code...
>
>
> With [cgi foo] I needed to:
>
> [calcn reparse=0]
> return $CGI->{foo};
> [/calcn]
>
Would like to point out in my above post:
[calcn reparse=0]
return $CGI->{foo};
[/calcn]
Is inherently dangerous, as you would be explicitly allowing chars like '[' and
'<'. Thanks for someone reminding me that off list :) Someone can pass through:
<script> Delete_Linux_and_Install_Windows(); </script>
Another thing to watch out for is the how [calcn] reparses by default, which
seems counter intuitive.
Paul
More information about the interchange-users
mailing list