Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Reroh Rorge: Opinions needed on CGI security

by baku (Scribe)
on Feb 14, 2001 at 19:33 UTC ( #58359=note: print w/ replies, xml ) Need Help??


in reply to Re: Re (tilly) 2: Opinions needed on CGI security
in thread Opinions needed on CGI security

There are a few ways to get almost all known HTML/JS evils out of the way...

The simplest, and a very effective one, is to simply URL-encode everything that comes in, like the PerlMonks.Com <code> tag does. The following JavaScript is harmless: <script>alert("I am malevolent");</script> because it has turned into &lt;script&gt;... before your browser sees it.

If you like certain HTML constructs, allow only them, like the <p> & <em> tags I'm using in this post (but not the <form> tag here: <form><input type="text" size="2"></form>

For better safety, as well as flexibility in presentation (HTML, WML, PDF, &c.) using an HTML->internal form->presentation form sequence might be desireable; e.g. using an XML dialect with no scripting, &c. internally.

The only "badness" I know of which can't be readily filtered out this was is an hyperlink containing potentially malicious content, e.g. a link to a site that does evil things, or (but I don't think any current browsers are troubled by this) a buffer overrun in the URL itself or sommat.

But, I'm sure someone will think of something interesting that can be done with <p> in IE 6, and we'll all be back to the drawing board :-)


Comment on Reroh Rorge: Opinions needed on CGI security
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://58359]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (14)
As of 2015-07-29 12:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (263 votes), past polls