Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

XSS-Bug in HTML::BBCode

by Taulmarill (Deacon)
on Aug 14, 2007 at 13:28 UTC ( #632482=perlquestion: print w/ replies, xml ) Need Help??
Taulmarill has asked for the wisdom of the Perl Monks concerning the following question:

As i was looking for a nice BBCode2HTML converter i came across the following behavior of the Module which i think is a bug which could be exploited to insert JS.
[color=blue" onmouseover="this.innerHTML = 'XSS']test[/color]
<span style="color: blue" onmouseover="this.innerHTML = 'XSS'">test</span>

I used the following script to test this behavior:
use strict; use warnings; use HTML::BBCode; my $bbcode = q~[color=blue" onmouseover="this.innerHTML = 'XSS']test[/ +color]~; my $bbc = HTML::BBCode->new( { no_html => 1, no_jslink => 1, linebreaks => 1, } ); print $bbc->parse($bbcode); print "\n";
If i made a mistake or there is a workaround other than disabling the color-tag (and maybe other tags, too), please let me know. Also i would like to hear other suggestions for BBCode2HTML converters (doesn't have to be exactly BBCode, could be something similar) that are known to be safe for public websites.

Comment on XSS-Bug in HTML::BBCode
Download Code
Replies are listed 'Best First'.
Re: XSS-Bug in HTML::BBCode
by moritz (Cardinal) on Aug 14, 2007 at 13:39 UTC
    This looks like a (severe) bug indeed. Did you notify the author of HTML::BBCode?

    (Update: fixed link)

      Just posted a bug report on
      It took me a while to find my password for PAUSE, cause i use it rarely.

        Thanks for reporting!

        I'll see if I can patch it asap. Any pointers on how to prevent this in a nice way could be helpful :-)


        All code is usually tested, but rarely trusted.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://632482]
Approved by Corion
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (8)
As of 2015-10-08 20:28 GMT
Find Nodes?
    Voting Booth?

    Does Humor Belong in Programming?

    Results (226 votes), past polls