Packing unsafe string for later context-based escaping

Dallaylaen has asked for the wisdom of the Perl Monks concerning the following question:

Hello dear esteemed monks,

I have just implemented the following logic in a pet project:

Say we have a user-supplied string, which we may want to escape. Let's pack it into an object (bless \$str, $class; in fact) which has serialization methods as_is(), as_html(), as_uri(), as_shell() etc and, last but not least, as_string() (aka overloaded "") which chooses one of the above based on exported package variable $how_to_escape.

This way, we don't need to babysit a potentially unsafe value, but can still get it as is when needed (say save to database or send via JSON). The $how_to_escape var may be localized, meaning that we'll get guaranteed uniform escape of ALL such packed variables in a given scope without affecting anyone outside.

I would like to know if such approach makes any sense at all, and if it does, do similar modules already exist?

Thank you.

Comment on Packing unsafe string for later context-based escaping

Replies are listed 'Best First'.
Re: Packing unsafe string for later context-based escaping by Eily (Monsignor) on Jan 05, 2016 at 16:57 UTC
I don't think I have ever seen something like that in a module, but I like it. This post would have been at its place in CUFP, because strings that automatically escape themselves in the right way depending on the context (scope, in this case) is one cool feature IMHO. And I don't think the languages perl is often compared with (ruby and python) provide such an easy and transparent way of achieving an equivalent result, if at all. Which makes it a perl specific feature, and not a Cool Use For Most High Level Languages. ++ to you	[reply]
Re^2: Packing unsafe string for later context-based escaping by Dallaylaen (Chaplain) on Jan 05, 2016 at 18:12 UTC
Thanks for your reply! I believe I could write it in Python as well. The `__str__` method would handle stringification (concrete method selection in our case). Scoping can be implemented in any language that has destructors (`__del__` in Python's case) by using guard variables. Ditto C++ (via `operator const string &` IIRC). UPDATE I was totally wrong about Python's scoping, looks like it's done another way. Not sure how it can be done in Java and Javascript, though. And... I'm a bit ashamed to ask, but... What is CUFP?	[reply]
Re^3: Packing unsafe string for later context-based escaping by Eily (Monsignor) on Jan 05, 2016 at 19:30 UTC
No need to be, I didn't use the full name. It's Cool Uses for Perl where people talk about cool things that perl allows you to do, though sometimes it relies on features shared among high level languages, which explains my post. Indeed there are ways to obtain the same result with objects and destructors, pretty nice solution as well actually.	[reply]
Re^4: Packing unsafe string for later context-based escaping by Dallaylaen (Chaplain) on Jan 05, 2016 at 19:40 UTC
Re^2: Packing unsafe string for later context-based escaping by Dallaylaen (Chaplain) on Jan 05, 2016 at 20:03 UTC
Some python code. A bit clumsy and no scoping (still not sure how it's done), but it seems to work. https://gist.github.com/dallaylaen/79ef8d5caa0c36c9f735	[reply]
Re: Packing unsafe string for later context-based escaping by choroba (Cardinal) on Jan 05, 2016 at 21:11 UTC
Reminds me of RFC: SecureString - Obfuscated / masked strings exept when you need them. Wow, I still remember nodes from 2011 and am able to find them! ($q=q:Sq=~/;[c](.)(.)/;chr(-\|\|-\|5+lengthSq)`"S\|oS2"`map{chr \|+ord }map{substrSq`S_+\|`\|}3E\|-\|`7**2-3:)=~y+S\|`+$1,++print+eval$q,q,a, [download]	[reply] [d/l]
Re: Packing unsafe string for later context-based escaping by Your Mother (Archbishop) on Jan 05, 2016 at 17:13 UTC
It feels a little like a solution in search of a problem but it is a fun idea. ++ here too.	[reply]
Re: Packing unsafe string for later context-based escaping by hotchiwawa (Scribe) on Jan 05, 2016 at 17:13 UTC
Hi Dallaylaen :) In fact you are searching a module that will make all the checks for you, right? But what in case of potential problem? Option 1 => an exception is thrown and you will invalidate the input Option 2 => go ahead and try to solve it with another code (your code...) => same problematic :( Rem: your post is a good question Perl::Critic have polities, it could help. https://metacpan.org/pod/Perl::Critic Peace	[reply]
Re^2: Packing unsafe string for later context-based escaping by Dallaylaen (Chaplain) on Jan 05, 2016 at 19:20 UTC
Um, no, I'm not trying to check anything. I'm trying to pack a string which I get from a user (whether checked or not) in such a way that it is displayed in a safe manner to another user while retaining the original content for my own dark purposes. This may be seen as data/presentation split for a given string, where specific presentation method is common for all string and depends on which part of my software I'm currently in.	[reply]
Re^3: Packing unsafe string for later context-based escaping by hotchiwawa (Scribe) on Jan 05, 2016 at 20:06 UTC
A JSON format will not help you?	[reply]


Welcome to the Monastery
	PerlMonks