Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^2: default_escape for Template::Toolkit?

by andreas1234567 (Vicar)
on Apr 16, 2008 at 10:40 UTC ( #680762=note: print w/ replies, xml ) Need Help??


in reply to Re: default_escape for Template::Toolkit?
in thread default_escape for Template::Toolkit?

what do you do to prevent XSS reliably?
  • Sanitize user input using a accept known good only approach (link to owasp.com). I find Embperl::Form::Validate very useful, although there are many others as well.
  • Flip HTML::Mason's default_escape_flags so that if someone enters:
    <script>load_malicious_javascript_from_hacker_site;</script>
    into a text field in your blog, it is displayed verbatim rather than turned into executable code.
The OWASP Guide to Building Secure Web Applications version 3 draft is out. Is is certainly an interesting read for those concerned about web application security.
--
When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]


Comment on Re^2: default_escape for Template::Toolkit?
Select or Download Code
Re^3: default_escape for Template::Toolkit?
by moritz (Cardinal) on Apr 16, 2008 at 10:53 UTC
    I think the question was directed at TT users. At least mine was.
    Flip HTML::Mason's default_escape_flags

    That's the point. TT doesn't seem to have such a flag (or at least nobody knows about it). HTML::Template and HTML::Mason (documented in HTML::Mason::Compiler have some default escaping mechanism. So what do the TT users do?

    I can't believe they never forget to escape something and therefore don't need a better solution.

      I agree that I have taken tinita's last question in Re: default_escape for Template::Toolkit? out of the original context.

      So what do the TT users do?
      I have no idea. Except consider how important such a feature is, and given it's important, switch to a templating system that supports it.
      --
      When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://680762]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (5)
As of 2014-12-27 13:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (177 votes), past polls