PrePAN

Sign in to PrePAN

Text::Quote::Self Encapsulate unsafe string as object that quotes itself in the needed way

Good

Synopsis

# In the part of application that handles input
# and/or raw data (think MVC::model)

use Text::Quote::Self qw(safe_text);

sub do_something {
    my $user_input = shift;
    my $safe = safe_text( $user_input );
    # Same as  Text::Escape::Any->new($user_input)
    ref $safe; # Text::Escape::Any
    "$safe"; # eq $user_input
    $safe =~ s/foo/bar/g; # effect is permanent

    # more porcessing
    my %output;
    $output{unsafe_value} = $safe;
    # .........
    return \%output;
};

# in the part of application responsible
# for output (think MVC::view)
use Text::Quote::Self qw($safe_text_escaping);

sub format_html {
     my $data = shift;
     local $safe_text_escaping = "as_html";
     "$data->{unsafe_value}";
        # now with > and <
     $data->as_uri;
        # uri-escaped for e.g. links
     $data->as_is; 
        # raw unsafe data in case one needs it
}

sub make_link {
     my $data = shift;
     my $url = delete $data{url};
     local $safe_text_escaping = "as_uri";
     return "$url?" . join "&", map { 
        "$_=$data->{$_}"
    } keys %$data;
}

Description

UPDATE Renamed Text::Escape::Any => Text::Quote::Self - does the latter make more sense?

I would like to present a module that can hide potentially dangerous strings behind a facade with overloaded stringification. Concrete stringification method (as-is, uri-escape, quotemeta, etc) is chosen based on a package variable. Such variable can be localized to a scope, and is honoured by all of my stringifier objects at once.

This way the part of the application that handles data does not need to know about how we're going to present the data. And the presentation part may handle all of its input values as plain strings and not care to quote them properly, as long as preferred stringification method is set.

I still have some questions, mostly on naming:

  • Is Text:: the right namespace?
  • Is Text::Escape::Any a descriptive enough name, and what would be better if not?
  • It seems reasonable to abbreviate constructor. Is safe_text() a rare enough function name to not infringe on users' functions/methods?
  • I want to keep the package switch name as close the above as possible. Is $safe_text_escaping good enough?

Comments

Please sign up to post a review.