Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re^2: XSS-Bug in HTML::BBCode

by Corion (Pope)
on Aug 14, 2007 at 14:06 UTC ( #632500=note: print w/replies, xml ) Need Help??


in reply to Re: XSS-Bug in HTML::BBCode
in thread XSS-Bug in HTML::BBCode

I guess that allowing only /^\w+$/ as values is a sane approach at least for the [color] tag. For the other values, you will need to come up with other ways, I suggest restrictive regular expressions there as well. As long as you keep the permissions restrictive in the sense that your REs describe what's allowed instead of describing what's forbidden, you'll be safe(r).

Especially for the [colour] tag, you could also explicitly list the set of allowed colours in your regular expression.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://632500]
help
Chatterbox?
[Eily]: does this mean you'll give up the random prefix solution LanX?
[LanX]: yep, sorry ;(
[Eily]: such a fine and clever workaround though...
[LanX]: well even my random fingers have memory ...
[Eily]: you could have tried randomly swapping your fingers
[Eily]: enigma style
[choroba]: so it was you who typed the whole phrases?

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (13)
As of 2017-03-28 13:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Should Pluto Get Its Planethood Back?



    Results (331 votes). Check out past polls.