Module to filter user-input HTML text for security?

u914 has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I've trolled around Search, Super Search, http://perlmonks.thepen.com and CPAN's HTML section looking for a nice way to take web-input data and filter it for broken and/or potentially harmful things. HTML::QuickCheck looks close, but only parses for correct html, and was last updated in 1995.

update: using cpan.uwinnipeg.ca is not the best idea, as it seems rather out of date.

Alas, no luck. I'm using blosxom and would like to use the the comments plugin, but it is heinously insecure in that it accepts any old text and will then post it to the blogpage...

I'm concerned about SSI, bad/unclosed html tags, cross-site scripting (XSS) attacks and so forth... the HTML-QuickCheck module addresses some of this, and i could use a regex to filter HTML comments and PHP include tags and so forth, but i suspect someone has already built this wheel.

Recommendations?

UPDATE: i found my own answer while checking the CPAN link above.... HTML::CGIChecker. I'm going to post this anyhow, so others can see it, and for the next schlub who searches here for help on securing blosxom, may (s)he find it early!

update2: using cpan.uwinnipeg.ca is not the best idea, as it seems rather out of date.

Comment on Module to filter user-input HTML text for security?

Replies are listed 'Best First'.
Re: Module to filter user-input HTML text for security? by u914 (Pilgrim) on Jul 17, 2004 at 10:34 UTC
The more i look at the blosxom "comments" plugin, the more i realize that really securing it may well be over my head. I'm taking a crack at it, but can i solicit advice from the crowd here? Things like this look obviously bad to me, and make me wonder what else lurks : `foreach ("", split(/\//, $path)) { $p .= "$_/"; -d "$comments_dir$p" or mkdir "$comments_dir$p", 0755; }` [download] The entire package is pasted below.... Read more... (28 kB)	[reply] [d/l] [select]
Re: Module to filter user-input HTML text for security? by ccn (Vicar) on Jul 17, 2004 at 10:14 UTC
HTML-Sanitizer HTML-Scrubber	[reply]
Re: Module to filter user-input HTML text for security? by sgifford (Prior) on Jul 18, 2004 at 03:47 UTC
I've had good luck with HTML::StripScripts.	[reply]
Re^2: Module to filter user-input HTML text for security? by u914 (Pilgrim) on Jul 18, 2004 at 13:58 UTC
thanks! i'll give those and the others mentioned a try.. Not that i really feel competent to be "securing" something for open web use, but.... i guess it's better than nothing! i was sort of hoping (hint, hint) that some of the high-ranking Saints around here might give the plugin a go-over. It looks to me like there's a LOT of people out there using it as-is.... and i'm sure the author would welcome some free, good feedback. ;-)	[reply]
Re: Module to filter user-input HTML text for security? by lhoward (Vicar) on Jul 18, 2004 at 14:03 UTC
not a perl module, but mod_security is a great tool to use to add another layer of protection to an apache webserver. It analyzes the http requests to block sql injection, cross site scripting, etc... L	[reply]


There's more than one way to do things
	PerlMonks